Skip to content

alarms: use HardenedLoggingEventInputStream to address possible RCE when#8084

Open
DmitryLitvintsev wants to merge 1 commit into11.0from
14678/11.0
Open

alarms: use HardenedLoggingEventInputStream to address possible RCE when#8084
DmitryLitvintsev wants to merge 1 commit into11.0from
14678/11.0

Conversation

@DmitryLitvintsev
Copy link
Copy Markdown
Member

deseriaizing log messages

Motivation:

It has been reported that alarm server is vulnerable to RCE attack due to unprotected object deserialization.

Modification:

Replace OjectInputStream with HardenedLoggingEventInputStream from log4j

Result:

Better protection against RCE

Patch: https://rb.dcache.org/r/14678/
Acked-by: Anastasiia Chub
Target: trunk
Request: 11.2, 11.1, 11.0, 10.2

Require-notes: yes
Require-book: no

deseriaizing log messages

Motivation:
-----------

It has been reported that alarm server is vulnerable to RCE attack
due to unprotected object deserialization.

Modification:
-------------

Replace OjectInputStream with HardenedLoggingEventInputStream from log4j

Result:
-------

Better protection against RCE

Patch: https://rb.dcache.org/r/14678/
Acked-by: Anastasiia Chub
Target: trunk
Request: 11.2, 11.1, 11.0, 10.2

Require-notes: yes
Require-book: no
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant