Security Vulnerability - Action Required: BufferOverflow maybe happen in the newest version of the onos
8 views
Skip to first unread message
James Watt
Nov 2, 2023, 7:18:14 AM11/2/23
to onos...@opennetworking.org
Hi there,
I think bufferOverflow maybe happen in the file utils/misc/src/main/java/org/onlab/util/KryoNamespace.java when you use the Kryo library to serialize and deserialize the Java objects.The affected methods are as follows:
1.org.onlab.util.KryoNamespace.serialize(final Object obj, final int bufferSize)
2. org.onlab.util.KryoNamespace.deserialize(final byte[] bytes)
3. org.onlab.util.KryoNamespace.borrow()
4. org.onlab.util.KryoNamespace.release(Kryo kryo)
5. org.onlab.util.KryoNamespace.run(KryoCallback<T> callback)
Maybe you should fix this vulnerability with the same patch in the project https://github.com/atomix/atomix which has the same issue. The patch link is https://github.com/atomix/atomix/commit/6aacc4627df06183afd163ce043d0d740c7829dc
Considering the potential risks it may have, I am willing to cooperate with you to verify, address, and report the identified vulnerability promptly through responsible means. If you require any further information or assistance, please do not hesitate to reach out to me. Thank you and look forward to hearing from you soon.
Considering the potential risks it may have, I am willing to cooperate with you to verify, address, and report the identified vulnerability promptly through responsible means. If you require any further information or assistance, please do not hesitate to reach out to me. Thank you and look forward to hearing from you soon.
Best regards,
Yiheng Cao
Reply all
Reply to author
Forward
0 new messages