all InfoSec news
Gregor Samsa: Exploiting Java's XML Signature Verification
Nov. 2, 2022, 11:41 a.m. | noreply@blogger.com (Google Project Zero)
Project Zero googleprojectzero.blogspot.com
By Felix Wilhelm, Project Zero
Earlier this year, I discovered a surprising attack surface hidden deep inside Java’s standard library: A custom JIT compiler processing untrusted XSLT programs, exposed to remote attackers during XML signature verification. This post discusses CVE-2022-34169, an integer truncation bug in this JIT compiler resulting in arbitrary code execution in many Java-based web applications and identity providers that support the SAML single-sign-on standard.
OpenJDK fixed the discussed issue in July 2022. The Apache BCEL …
More from googleprojectzero.blogspot.com / Project Zero
First handset with MTE on the market
6 months, 4 weeks ago |
googleprojectzero.blogspot.com
Analyzing a Modern In-the-wild Android Exploit
8 months, 1 week ago |
googleprojectzero.blogspot.com
Summary: MTE As Implemented
9 months, 4 weeks ago |
googleprojectzero.blogspot.com
MTE As Implemented, Part 1: Implementation Testing
9 months, 4 weeks ago |
googleprojectzero.blogspot.com
MTE As Implemented, Part 3: The Kernel
9 months, 4 weeks ago |
googleprojectzero.blogspot.com
MTE As Implemented, Part 2: Mitigation Case Studies
9 months, 4 weeks ago |
googleprojectzero.blogspot.com
Jobs in InfoSec / Cybersecurity
CyberSOC Technical Lead
@ Integrity360 | Sandyford, Dublin, Ireland
Cyber Security Strategy Consultant
@ Capco | New York City
Cyber Security Senior Consultant
@ Capco | Chicago, IL
Sr. Product Manager
@ MixMode | Remote, US
Security Compliance Strategist
@ Grab | Petaling Jaya, Malaysia
Cloud Security Architect, Lead
@ Booz Allen Hamilton | USA, VA, McLean (1500 Tysons McLean Dr)