-
Type:
Bug
-
Resolution: Fixed
-
Priority:
Low
-
Affects Version/s: 9.0.4
-
Component/s: Security
-
Severity 3 - Minor
Issue Summary
fix
This is reproducible on Data Center: Yes
Steps to Reproduce
- Cannot be reproduced
Expected Results
Where possible, restrict the set of classes that can be deserialized. OWASP’s recommendation for readObject calls is to subclass the ObjectInputStream class, and override resolveClass to throw an exception if an unexpected type is deserialized. This would require understanding which classes need to be deserialized in each case.
Actual Results
Where possible, restrict the set of classes that can be deserialized. OWASP’s recommendation for readObject calls is to subclass the ObjectInputStream class, and override resolveClass to throw an exception if an unexpected type is deserialized. This would require understanding which classes need to be deserialized in each case.
The below exception is thrown in the xxxxxxx.log file:
...
Workaround
Currently there is no known workaround for this behavior. A workaround will be added here when available