[
https://issues.apache.org/jira/browse/CXF-6711?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15058793#comment-15058793
]
Daniel Kulp commented on CXF-6711:
----------------------------------
Honestly, I cannot figure out how that would be set to "true".
It defaults to false, which is good. There is no configuration that can be
used to set it to true. The only way would be to use java code to dig through
the Aegis registry to find the ObjectType and then manually set it. Not
likely to happen.
In addition, even if you can figure out how to set it, it doesn't even work
"correctly". If set, it should have written out in base64 if unknown. It
doesn't do that. It still writes as xml elements as if there was a schema.
The only thing setting this to true would allow is some level of acceptance of
messages that are NOT coming from CXF clients. Thus, there is likely NO
reason to have ever set this to true. My only thinking is that this is some
remnant of old XFire code that wasn't fully removed. I'm going to go ahead
and remove it.
> Aegis Databinding Deserialization Vulnerability
> -----------------------------------------------
>
> Key: CXF-6711
> URL: https://issues.apache.org/jira/browse/CXF-6711
> Project: CXF
> Issue Type: Bug
> Components: Aegis Databinding
> Affects Versions: 3.1.4
> Reporter: Moritz Bechler
>
> Just had a quick look after the topic came up on -users. Aegis Databiding
> seems to perform unsafe deserialization when serializedWhenUnknown=true. Now
> sure how common that is (and actually no experience with aegis at all), but
> if used and enabled that's pretty much direct remote code execution.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
