A Vulnerability With Java Apps and Servers Still Unsolved?
It was first reported by security researchers nine months ago, but a vulnerability in the popular Apache Commons library continues to put thousands of Java applications and servers at risk of a remote code execution attack.
Over nine months ago a vulnerability was discovered in Apache's Commons Library enabling hackers to remotely execute a code attack.
It creates the possibility of a deserialization in the reusable code in the collections component of the repository. The serialization component allows for streaming bytes for transport and/or storage and the deserialization reverses the process upon receipt at its destination.
The attackers can then send malicious objects to be deserialized. This allows for an exploit on the remote machine without the need for a password or username.
I originally got a notice a few months back from a dedicated server provider and within days I was informed this was no longer a threat. Then today I read it was still an unsolved threat when reading an article at ADTMag.
Has anyone here any clear knowledge of whether this threat is still a vulnerability with their servers? My servers a supposed to be covered, I've called twice today. They don't have a clear message of why, they just keep telling me not to worry and that I am are covered. Seems to be contrary to the news sector.
It was first reported by security researchers nine months ago, but a vulnerability in the popular Apache Commons library continues to put thousands of Java applications and servers at risk of a remote code execution attack.
Over nine months ago a vulnerability was discovered in Apache's Commons Library enabling hackers to remotely execute a code attack.
It creates the possibility of a deserialization in the reusable code in the collections component of the repository. The serialization component allows for streaming bytes for transport and/or storage and the deserialization reverses the process upon receipt at its destination.
The attackers can then send malicious objects to be deserialized. This allows for an exploit on the remote machine without the need for a password or username.
I originally got a notice a few months back from a dedicated server provider and within days I was informed this was no longer a threat. Then today I read it was still an unsolved threat when reading an article at ADTMag.
Has anyone here any clear knowledge of whether this threat is still a vulnerability with their servers? My servers a supposed to be covered, I've called twice today. They don't have a clear message of why, they just keep telling me not to worry and that I am are covered. Seems to be contrary to the news sector.
