Comment by formerly_proven
13 days ago
As per the PoC, yes — this is the usual Java Deserialization RCE where it’ll instantiate arbitrary classes. Java serialization really is a gift that keeps on giving.
13 days ago
As per the PoC, yes — this is the usual Java Deserialization RCE where it’ll instantiate arbitrary classes. Java serialization really is a gift that keeps on giving.
I love how these always instantly escalate into trivial code execution / reverse shell. Remember kids, C is the enemy!
The "fix" in question also screams "delete this crap immediately": https://github.com/wgtmac/parquet-mr/commit/d185f867c1eb968a...
The fix still loads the class before checking if it’s okay.
That’s a smaller attack window but it’s still not zero.
Java reflection can load classes without initializing them, so no untrusted code would have to be executed at that point.
3 replies →
This is a bug in Java. Java is considered "memory safe" because of its GC and its VM. This is not a memory safety bug.
It's true. No memory is being used in contravention of the language semantics. Absolutely memory safe.