[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2021-41616: Apache ddlutils 1.0 readobject vulnerability
From:       Bryan Pendleton <bpendleton () apache ! org>
Date:       2021-09-29 14:53:20
Message-ID: e52e8004-ef2f-bd45-a994-81f076002ae7 () apache ! org
[Download RAW message or body]

Description:

Apache DB DdlUtils 1.0 included a BinaryObjectsHelper that was intended for=
 use when migrating database data with a SQL data type of BINARY, VARBINARY=
, LONGVARBINARY, or BLOB between databases using the ddlutils features. The=
 BinaryObjectsHelper  class was insecure and used ObjectInputStream.=
readObject without validating that the input data was safe to deserialize.

Please note that DdlUtils is no longer being actively developed. To address=
 the insecurity of the BinaryObjectHelper class, the following changes to =
DdlUtils have been made: (1) BinaryObjectsHelper.java has been deleted from=
 the DdlUtils source repository and the DdlUtils feature of propagating =
data of SQL binary types is therefore no longer present in DdlUtils; (2) =
The ddlutils-1.0 release has been removed from the Apache Release =
Distribution Infrastructure; (3) The DdlUtils web site has been updated to =
indicate that DdlUtils is now available only as source code, not as a =
packaged release.

[prev in list] [next in list] [prev in thread] [next in thread]