5.3.10. JDK

5.3.10.1. JDK 6

5.3.10.1.1. 6u45

  • java.rmi.server.useCodebaseOnly defaults to true, disables automatic loading of remote class files

5.3.10.1.2. 6u141

  • com.sun.jndi.rmi.object.trustURLCodebase Default is false

  • com.sun.jndi.cosnaming.object.trustURLCodebase Default is false

5.3.10.1.3. 6u211

  • LDAP remote reference code is not trusted by default, which affects the attack mode of LDAP remote reference code

5.3.10.2. JDK 7

5.3.10.2.1. 7u40

  • java.io.File class add the isInvalid method detect if the filename contains null bytes

5.3.10.2.2. 7u122

  • com.sun.jndi.rmi.object.trustURLCodebase Default is false

  • com.sun.jndi.cosnaming.object.trustURLCodebase Default is false

5.3.10.2.3. 7u201

  • LDAP remote reference code is not trusted by default, which affects the attack mode of LDAP remote reference code

5.3.10.3. JDK 8

  • sun.net.www.protocol The gopher protocol is no longer supported

5.3.10.3.1. 8u113

  • com.sun.jndi.rmi.object.trustURLCodebase Default is false

  • com.sun.jndi.cosnaming.object.trustURLCodebase Default is false

5.3.10.3.2. 8u121

  • RMI has added a deserialization whitelist mechanism

  • The RMI remote reference code is not trusted by default, which affects the attack method of the RMI remote reference code

5.3.10.3.3. 8u191

  • LDAP remote reference code is not trusted by default, which affects the attack mode of LDAP remote reference code

5.3.10.3.4. 8u251

  • com.sun.org.apache.bcel.internal.util.ClassLoader class was removed