Why no JNDI de-ser killswitch
Bernd Eckenfels
ecki at zusammenkunft.net
Mon Dec 13 06:28:53 UTC 2021
Hello,
I can understand that ldapcontext.lookup() still has to use unsafe deserialisation for legacy reasons (JMS factories etc). But it would be really good if there would be a bit more infra like a killswitch or url-prefix filter JNDI for those who don’t need that.
It was a rather damaging move to claim that there is a fix when the actual rce with JNDI is still present.
I tink the new ObjectInputStream filters (jep290) are a good thing, but they are not easy to set globally on a bigger app server,especially not with 8 and 11 without jep415. So I think that’s not sufficient
Gruss
Bernd
--
http://bernd.eckenfels.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.java.net/pipermail/security-dev/attachments/20211213/3509d0f3/attachment.htm>
More information about the security-dev
mailing list