|
|
|
|
|
|
by dvhh
1656 days ago
|
|
|
- Newer version of JDK kind of mitigate the issue by disallowing by default the vector used to get the untrusted code.
- Parameters are affected as well as it seems that there is some form of recursive string interpolation going on.
- Packet inspection would lookup for the string interpolation for jndi lookup in the client message "${jndi:" which in most case should have no reason in being in client trafic (if not compressed). Again the risk is real when the server use un-sanitized client data. |
|
|