While both approaches have benefits, the allowlist model is more secure because it only allows deserialization of classes known to be required by WebLogic Server and customer applications. With the blocklist model, WebLogic Server defines a set of well-known classes and packages that are vulnerable and blocks them from being deserialized, and all other classes can be deserialized. When using the allowlist model, WebLogic Server and the customer define a list of the acceptable classes and packages that are allowed to be deserialized, and blocks all other classes.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |