Blacklist approach JDB

Nexus Intelligence Insights Sonatype-2017-0312: jackson-databind, The End of the Blacklist

For our October Nexus Intelligence Insight we will return to a very popular component that has been both a blessing and a curse to developers around the world. We’ll cover a fundamental ...
serialization

Serialization: Protecting Enterprise Critical Applications

Enterprise organizations have built much of their foundations on Oracle’s WebLogic servers. As ubiquitous as they are, it’s no wonder that they are often the target of sophisticated attacks aimed at harvesting ...
Security Boulevard
Ask The Java SE Architect Live from Devoxx UK

Will Dropping Serialization from Java Remove the Vulnerabilities?

During “Ask The Architect” at the Devoxx UK 2018 conference, Oracle’s chief architect, Mark Reinhold, called Java’s serialization mechanism a “horrible mistake” and a virtually endless source of security vulnerabilities. More importantly, ...
Deserialization Vulnerability Confirmed in Nexmo 3.4.0 SDK

Deserialization Vulnerability Confirmed in Nexmo 3.4.0 SDK

Nexmo has confirmed that their 3.4.0 SDK contained the Jackson-databind vulnerability that we announced earlier this week as widespread amongst SaaS SDKs.The deserialization vulnerability can be escalated into remote control execution (RCE) ...
Java Deserialization Vulnerability Found to be Widespread Across SaaS Vendor SDKs

Java Deserialization Vulnerability Found to be Widespread Across SaaS Vendor SDKs

Courtesy (http://gallerycartoon.blogspot.com)Recently, we’ve identified a number of our customers who are susceptible to a deserialization-based remote control execution (RCE) vulnerability. In the majority of cases, a subset of the gadget chain (circumstances ...
Patch for Critical Oracle WebLogic Vulnerability Can Be Bypassed

Patch for Critical Oracle WebLogic Vulnerability Can Be Bypassed

Security researchers warn that a patch recently released by Oracle for a critical vulnerability in its WebLogic Java application server can easily be bypassed. The risk of exploitation is high especially since ...
Security Boulevard
Attack vector containing serialized java array into XML fig 5

Deserialization Attacks Surge Motivated by Illegal Crypto-mining

Imperva’s research group is constantly monitoring new web application vulnerabilities. In doing so, we’ve noticed at least four major insecure deserialization vulnerabilities that were published in the past year. Our analysis shows ...