Thanks Gary for the insightful thread. Maybe run our code base against a threat ID tool?
Debo Sent from my iPhone > On Sep 13, 2017, at 10:14 AM, Gang(Gary) Wang <[email protected]> wrote: > > One of our contributors told me that this breach is related to a > serialized object that Mnemonic has tried to avoid as below > > "However, “for either vulnerability, the process is basically the same. The > attacker sends a specific HTTP request containing some special syntax. In > one case, an OGNL expression. In the other, a serialized object,” he said > in comments emailed to SC Media. “The Equifax Struts application would > receive this request, and get tricked into executing operating system > commands.” > > The attacker can then “use these to take over the entire box – do anything > the application can do,” Williams said. “So, they probably stole the > database credentials out of the application, ran some queries, and then > exfiltrated the data to some server they control on the internet.”" > > https://www.scmagazine.com/apache-struts-vulnerability-likely-behind-equifax-breach-congress-launches-probes/article/687955/ > > IMHO, from the technical view point, Mnemonic has nothing about how to > interact with UI layer. Theoretically, Mnemonic's linked durable objects > could be transferred between different layers to avoid SerDe, user code > makes use of those durable object for their own business logics. > > Regarding the Durable Query Model (DQM), it has not yet been fully > implemented, we need to consider any possible injection and provide the > proper measure to prevent potential breaches. > > Thanks!
