Flaw in popular PDF creation library enabled remote code execution
A researcher has discovered a high-severity bug in a popular PHP library used for creating PDFs. Continue reading Flaw in popular PDF creation library enabled remote code execution
Category Archives: deserialization
Automotive Security: It’s More Than Just What’s Under The Hood
True auto safety can only be achieved by knowing what every piece of code and hardware is that goes into the car. Continue reading Automotive Security: It’s More Than Just What’s Under The Hood
Aleksei Tiurin, Acunetix – Paul’s Security Weekly #581
Aleksei Tiurin is the Senior Security Researcher for Acunetix. Aleksei is giving a technical segment on insecure deserialization in Java/JVM and explains what polymorphism is. Aleksei Tiurin is a security researcher and pentester with over 8 years of e… Continue reading Aleksei Tiurin, Acunetix – Paul’s Security Weekly #581
VU#581311: TP-Link EAP Controller lacks RMI authentication and is vulnerable to deserialization attacks
The TP-LINK EAP Controller is TP-LINK’s software for remotely controlling wireless access point devices. EAP Controller for Linux lacks user authentication for RMI service commands,as well as utilizes an outdated vulnerable version of Apache commons-collections,which may allow an attacker to implement deserialization attacks and control the EAP Controller server. Continue reading VU#581311: TP-Link EAP Controller lacks RMI authentication and is vulnerable to deserialization attacks
Will Dropping Serialization from Java Remove the Vulnerabilities?
During “Ask The Architect” at the Devoxx UK 2018 conference, Oracle’s chief architect, Mark Reinhold, called Java’s serialization mechanism a “horrible mistake” and a virtually endless source of security vulnerabilit… Continue reading Will Dropping Serialization from Java Remove the Vulnerabilities?
Deserialization Vulnerability Confirmed in Nexmo 3.4.0 SDK
Nexmo has confirmed that their 3.4.0 SDK contained the Jackson-databind vulnerability that we announced earlier this week as widespread amongst SaaS SDKs.
The deserialization vulnerability can be escalated into remote control execution (RCE) by tr… Continue reading Deserialization Vulnerability Confirmed in Nexmo 3.4.0 SDK
Java Deserialization Vulnerability Found to be Widespread Across SaaS Vendor SDKs
Courtesy (http://gallerycartoon.blogspot.com)
Recently, we’ve identified a number of our customers who are susceptible to a deserialization-based remote control execution (RCE) vulnerability. In the majority of cases, a subset of the gadget chain… Continue reading Java Deserialization Vulnerability Found to be Widespread Across SaaS Vendor SDKs
Patch for Critical Oracle WebLogic Vulnerability Can Be Bypassed
Security researchers warn that a patch recently released by Oracle for a critical vulnerability in its WebLogic Java application server can easily be bypassed. The risk of exploitation is high especially since exploit code is already available for the… Continue reading Patch for Critical Oracle WebLogic Vulnerability Can Be Bypassed
Deserialization Attacks Surge Motivated by Illegal Crypto-mining
Imperva’s research group is constantly monitoring new web application vulnerabilities. In doing so, we’ve noticed at least four major insecure deserialization vulnerabilities that were published in the past year. Our analysis shows that, in… Continue reading Deserialization Attacks Surge Motivated by Illegal Crypto-mining
The State of Web Application Vulnerabilities in 2017
As a web application firewall provider, part of our job at Imperva is constantly monitoring new security vulnerabilities. To do this, we use internal software that collects information from various data sources such as vulnerability databases, newslett… Continue reading The State of Web Application Vulnerabilities in 2017