On Wed, Aug 4, 2021 at 7:53 AM Artem Smotrakov <[email protected]> wrote: > > Hi All, > > You might have heard about deserialization vulnerabilities. If you use > Jackson libraries and run a security scanner, you might have received quite a > lot of alerts about deserialization vulnerabilities. Those finding are quite > often false alerts because application often use Jackson in a safe way. But > sometimes they don't, and deserialization attacks becomes a real threat. Now > the real issues in applications can be detected with CodeQL. In case you > don’t know, CodeQL is a code analysis engine. I recently updated the > java/unsafe-deserialization query to cover Jackson as well > > https://github.com/github/codeql/blob/3b676d432f4ccc02588147f8db21bae6d73136e9/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql > > The query checks the conditions for unsafe deserialization that Tatu > described earlier > > https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 > > I also wrote a short blog post about the query > > https://blog.gypsyengineer.com/en/security/detecting-jackson-deserialization-vulnerabilities-with-codeql.html > > Artem
Thank you for sharing this! This looks very interesting, -+ Tatu +- > > -- > You received this message because you are subscribed to the Google Groups > "jackson-user" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jackson-user/2e60fbb4-746b-42e1-8f68-c3f6de4067abn%40googlegroups.com. -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/CAL4a10gj_bmtnR2y-tbQi281Fq-iq7uEXQSv2YB4VyacpGynjA%40mail.gmail.com.
