Hi,
Your text sounds like boilerplate (see
https://forums.adobe.com/thread/2066435?start=0&tstart=0 ) but I've had
a look anyway. Our code is public so anybody including your internal IT
staff can look for security flaws.
I also looked myself at the trunk version
- readObject is not used
- Serializable is used. Some are because of an implementation that did
use readObject, but this implementation no longer exists. I'll remove
Serializable there. Another one (FieldUtils) has it probably because
SonarQube recommended to do it (Comparator). However nothing is
serialized there, and this comparator is used only in one package.
Tilman
Am 22.01.2016 um 23:08 schrieb Kiernan, Dan:
Good afternoon, our company utilizes the PDFBox software and have been notified
by our internal IT staff that there is a potential risk for programs developed
with Java code, where they deserialize untrusted data without verifying the
results first. Would anyone on this mailing list be able to advise as to
whether this particular software is at risk.
Additional background about the vulnerability is available at the following web
link: http://cwe.mitre.org/data/definitions/502.html
Due to the nature of this particular risk our company is very concerned and
appreciate any insight and assistance in determining this would be appreciated.
If there are any questions or concerns please do not hesitate to contact me.
Thank you,
Dan Kiernan | IT System Analyst-Sr | CSS - Corporate Services | 515.991.4130
The Principal Financial Group(r) | Connect with Us on Twitter<http://www.twitter.com/theprincipal> |
Facebook<http://www.facebook.com/PrincipalFinancial> | Blog<blog.principal.com> |
LinkedIn<http://www.principal.com/linkedin> | YouTube<http://www.youtube.com/principalfinancial>
-----Message Disclaimer-----
This e-mail message is intended only for the use of the individual or entity to
which it is addressed, and may contain information that is privileged,
confidential and exempt from disclosure under applicable law. If you are not
the intended recipient, any dissemination, distribution or copying of this
communication is strictly prohibited. If you have received this communication
in error, please notify us immediately by reply email to [email protected]
and delete or destroy all copies of the original message and attachments
thereto. Email sent to or from the Principal Financial Group or any of its
member companies may be retained as required by law or regulation.
Nothing in this message is intended to constitute an Electronic signature for purposes of
the Uniform Electronic Transactions Act (UETA) or the Electronic Signatures in Global and
National Commerce Act ("E-Sign") unless a specific statement to the contrary is
included in this message.
If you no longer wish to receive any further solicitation from the Principal
Financial Group you may unsubscribe at
https://www.principal.com/do-not-contact-form any time.
If you are a Canadian resident and no longer wish to receive commercial
electronic messages you may unsubscribe at
https://www.principal.com/do-not-email-request-canadian-residents any time.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
