One thing I really liked about the write-up is the thoroughness that everything was explained. Nothing was assumed. The author explains what burp is why it was used. Broke down the basics in a high level and the touched on the simple things. Showed exploits in multiple frameworks. Really a well done article just from a write-up perspective let alone the impact of the issue.
Anyone actually have a CVE I can reference in talks to leadership so I can not look like a neckbeard security geek that's acting self-important?
Kenn White said it best: "This will get very ugly: unpatched, full remote exec on Java-based web svcs that use a popular serialization library
This is very similar to the series of serialization vulnerabilities that hit the Ruby on Rails world in early 2013.
Black hats are going to have fun with this one. :-(
https://www.reddit.com/r/netsec/comments/3rrr9z/what_do_webl...
http://mail-archives.apache.org/mod_mbox/commons-dev/201511....
https://www.owasp.org/index.php/Information_leak_through_ser...
The first thing I thought was "written in Java". The more straightforward headline would have been better, I think.
I had to backport a fix for a similar vulnerability in a Seam installation three years ago. The solution at the time was to limit the directories and sources from which serialized object representations could be read.
I'm from the Jenkins project.
I wish the authors of this post gave us a heads up beforehand. It put our users at unnecessary risk.
At Jenkins project, We've published a mitigation script (https://jenkins-ci.org/content/mitigating-unauthenticated-re...) while we work out a better fix for users.