Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-97846

[9.0] Fix Risky deserialization calls

XMLWordPrintable

      Issue Summary

      fix

      This is reproducible on Data Center: Yes

      Steps to Reproduce

      1. Cannot be reproduced

      Expected Results

      Where possible, restrict the set of classes that can be deserialized. OWASP’s recommendation for readObject calls is to subclass the ObjectInputStream class, and override resolveClass to throw an exception if an unexpected type is deserialized. This would require understanding which classes need to be deserialized in each case.

      Actual Results

      Where possible, restrict the set of classes that can be deserialized. OWASP’s recommendation for readObject calls is to subclass the ObjectInputStream class, and override resolveClass to throw an exception if an unexpected type is deserialized. This would require understanding which classes need to be deserialized in each case.

      The below exception is thrown in the xxxxxxx.log file:

      ...

      Workaround

      Currently there is no known workaround for this behavior. A workaround will be added here when available

          Form Name

            [CONFSERVER-97846] [9.0] Fix Risky deserialization calls

            There are no comments yet on this issue.

              f9221957a5e4 Akshay Rai
              f9221957a5e4 Akshay Rai
              Affected customers:
              0 This affects my team
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: