Deserialization of Untrusted Data in Apache OpenJPA

Andri Penguin

unread,

Aug 21, 2022, 7:57:01 AM8/21/22

to Folly: the Facebook Open-source LibrarY

The BrokerFactory functionality in Apache OpenJPA 1.x before 1.2.3 and 2.x before 2.2.2 creates local executable JSP files containing logging trace data produced during deserialization of certain crafted OpenJPA objects, which makes it easier for remote attackers to execute arbitrary code by creating a serialized object and leveraging improperly secured server programs.

CVE-2013-1768
GHSA-j65f-mvgw-prp2

Fixing a security update for org.apache.openjpa:openjpa

https://github.com/facebook/mysql-5.6/pull/1217/files

이상준

unread,

Sep 11, 2022, 10:06:14 AM9/11/22

to faceboo...@googlegroups.com

불기 2565년 8월 21일 (일) 오후 8:57, Andri Penguin <hackeron...@gmail.com>님이 작성:

--

---
You received this message because you are subscribed to the Google Groups "Folly: the Facebook Open-source LibrarY" group.
To unsubscribe from this group and stop receiving emails from it, send an email to facebook-foll...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/facebook-folly/4cd7503d-d3cd-40a5-9ec2-fd7d58daf2b1n%40googlegroups.com.

--

Lee Sang-joon

이상준

unread,

Sep 11, 2022, 10:07:09 AM9/11/22

to faceboo...@googlegroups.com, 이상준

불기 2565년 8월 21일 (일) 오후 8:57, Andri Penguin <hackeron...@gmail.com>님이 작성:

The BrokerFactory functionality in Apache OpenJPA 1.x before 1.2.3 and 2.x before 2.2.2 creates local executable JSP files containing logging trace data produced during deserialization of certain crafted OpenJPA objects, which makes it easier for remote attackers to execute arbitrary code by creating a serialized object and leveraging improperly secured server programs.

--

---
You received this message because you are subscribed to the Google Groups "Folly: the Facebook Open-source LibrarY" group.
To unsubscribe from this group and stop receiving emails from it, send an email to facebook-foll...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/facebook-folly/4cd7503d-d3cd-40a5-9ec2-fd7d58daf2b1n%40googlegroups.com.

--

Lee Sang-joon

이상준

unread,

Sep 11, 2022, 10:08:51 AM9/11/22

to faceboo...@googlegroups.com

불기 2565년 8월 21일 (일) 오후 8:57, Andri Penguin <hackeron...@gmail.com>님이 작성:

The BrokerFactory functionality in Apache OpenJPA 1.x before 1.2.3 and 2.x before 2.2.2 creates local executable JSP files containing logging trace data produced during deserialization of certain crafted OpenJPA objects, which makes it easier for remote attackers to execute arbitrary code by creating a serialized object and leveraging improperly secured server programs.

--

---
You received this message because you are subscribed to the Google Groups "Folly: the Facebook Open-source LibrarY" group.
To unsubscribe from this group and stop receiving emails from it, send an email to facebook-foll...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/facebook-folly/4cd7503d-d3cd-40a5-9ec2-fd7d58daf2b1n%40googlegroups.com.