5.3.10. JDK¶
5.3.10.1. JDK 6¶
5.3.10.1.1. 6u45¶
java.rmi.server.useCodebaseOnly defaults to true, disables automatic loading of remote class files
5.3.10.1.2. 6u141¶
com.sun.jndi.rmi.object.trustURLCodebase
Default is falsecom.sun.jndi.cosnaming.object.trustURLCodebase
Default is false
5.3.10.1.3. 6u211¶
LDAP remote reference code is not trusted by default, which affects the attack mode of LDAP remote reference code
5.3.10.2. JDK 7¶
5.3.10.2.1. 7u40¶
java.io.File
class add theisInvalid
method detect if the filename contains null bytes
5.3.10.2.2. 7u122¶
com.sun.jndi.rmi.object.trustURLCodebase
Default is falsecom.sun.jndi.cosnaming.object.trustURLCodebase
Default is false
5.3.10.2.3. 7u201¶
LDAP remote reference code is not trusted by default, which affects the attack mode of LDAP remote reference code
5.3.10.3. JDK 8¶
sun.net.www.protocol
The gopher protocol is no longer supported
5.3.10.3.1. 8u113¶
com.sun.jndi.rmi.object.trustURLCodebase
Default is falsecom.sun.jndi.cosnaming.object.trustURLCodebase
Default is false
5.3.10.3.2. 8u121¶
RMI has added a deserialization whitelist mechanism
The RMI remote reference code is not trusted by default, which affects the attack method of the RMI remote reference code
5.3.10.3.3. 8u191¶
LDAP remote reference code is not trusted by default, which affects the attack mode of LDAP remote reference code
5.3.10.3.4. 8u251¶
com.sun.org.apache.bcel.internal.util.ClassLoader class was removed