Hello, I can understand that ldapcontext.lookup() still has to use unsafe deserialisation for legacy reasons (JMS factories etc). But it would be really good if there would be a bit more infra like a killswitch or url-prefix filter JNDI for those who don’t need that.
It was a rather damaging move to claim that there is a fix when the actual rce with JNDI is still present. I tink the new ObjectInputStream filters (jep290) are a good thing, but they are not easy to set globally on a bigger app server,especially not with 8 and 11 without jep415. So I think that’s not sufficient Gruss Bernd -- http://bernd.eckenfels.net
