(www.bleepingcomputer.com)

174 points andy99 | 1 comments | 06 Apr 25 17:21 UTC | HN request time: 0.001s | source

Show context

formerly_proven ◴[06 Apr 25 17:47 UTC] No.43603309[source]▶

As per the PoC, yes — this is the usual Java Deserialization RCE where it’ll instantiate arbitrary classes. Java serialization really is a gift that keeps on giving.

replies(2): >>43603416 #>>43603473 #

stefan_ ◴[06 Apr 25 17:58 UTC] No.43603416[source]▶

>>43603309 #

I love how these always instantly escalate into trivial code execution / reverse shell. Remember kids, C is the enemy!

The "fix" in question also screams "delete this crap immediately": https://github.com/wgtmac/parquet-mr/commit/d185f867c1eb968a...

replies(2): >>43603502 #>>43603648 #

pclmulqdq ◴[06 Apr 25 18:08 UTC] No.43603502[source]▶

>>43603416 #

This is a bug in Java. Java is considered "memory safe" because of its GC and its VM. This is not a memory safety bug.

replies(1): >>43605304 #

1. chowells ◴[06 Apr 25 21:58 UTC] No.43605304[source]▶

>>43603502 #

It's true. No memory is being used in contravention of the language semantics. Absolutely memory safe.

↑

Max severity RCE flaw discovered in widely used Apache Parquet