News: Issue with popular software libraries leaves apps exposed.
40 more software libraries may be affected by a Java deserialisation vulnerability than was originally thought, folllowing initial research by Foxglove Security.
The risk comes from apps not validating untrusted input before deserialisation, with this affecting all apps that accept serialised Java objects.
Various popular open source libraries are involved, including hadoop-mapreduce-client-core, Apache Directory API All, and Standalone Jar.
"Developers that use these libraries in their applications should be aware of the risk and should check carefully if they’re deserializing untrusted data," he said.
The initial research by Foxglove Security in November described the vulnerability as "The most underrated, underhyped vulnerability of 2015", and said that various popular products had, at the time the post was written, not been patched.
Fenton says that "the real underlying issue is that many established, popular, and well maintained applications were still deserializing user-supplied data."