jetcache kryo 4.0.0 BDSA-2016-1151 漏洞 Kryo JAVA serialization API may be leveraged to perform denial-of-service (DoS) attack, memory corruption and eventually remote code execution (RCE) attacks due to not enforcing white-listing (class registration) by default when deserializing.
- No description provided.*
回答(1) 发布于 3个月前
回答(3) 发布于 3个月前
回答(3) 发布于 3个月前
回答(1) 发布于 3个月前
回答(1) 发布于 3个月前
2条答案
按热度按时间0dxa2lsx1#
这块儿咋触发呢?反序列化貌似只在web server从redis取数据的时候触发,貌似没啥用。如果已经可以改redis的数据了,那rce貌似也没啥用了……
yzxexxkh2#
In which Kryo release , this issue (BDSA-2016-1151) was resolved ?