Comment by stefan_
13 days ago
I love how these always instantly escalate into trivial code execution / reverse shell. Remember kids, C is the enemy!
The "fix" in question also screams "delete this crap immediately": https://github.com/wgtmac/parquet-mr/commit/d185f867c1eb968a...
The fix still loads the class before checking if it’s okay.
That’s a smaller attack window but it’s still not zero.
Java reflection can load classes without initializing them, so no untrusted code would have to be executed at that point.
I haven’t been in Java for a good while. When did they do that?
Static initializers used to load on Classloader calls.
2 replies →
This is a bug in Java. Java is considered "memory safe" because of its GC and its VM. This is not a memory safety bug.
It's true. No memory is being used in contravention of the language semantics. Absolutely memory safe.