Jeremiah Grossman · Feb 1, 2016 · 5:46 PM UTC

Jeremiah Grossman @jeremiahg

1 Feb 2016

PayPal: Lessons Learned from the Java Deserialization Bug paypal-engineering.com/2016/… < now this is how things should be done

Jeff Williams · Feb 1, 2016 · 7:29 PM UTC

Jeff Williams @planetlevel

1 Feb 2016

I don't understand this... "We found we were not exercising the vuln classes in apache-commons -> no immediate risk" @jeremiahg @paypaleng

Jeremiah Grossman · Feb 1, 2016 · 7:31 PM UTC

Jeremiah Grossman @jeremiahg

1 Feb 2016

@planetlevel @paypaleng Let’s ask @bilcorry. He’ll probably know.

Bil Corry · Feb 1, 2016 · 7:44 PM UTC

Bil Corry · Feb 1, 2016 · 7:44 PM UTC

Bil Corry @bilcorry

1 Feb 2016

Replying to @jeremiahg

@jeremiahg @planetlevel @paypaleng It means the code had vulnerable class, but class was not used.

Feb 1, 2016 · 7:44 PM UTC

𝐋𝐚𝐤𝐬𝐡 𝐑𝐚𝐠𝐡𝐚𝐯𝐚𝐧 · Feb 1, 2016 · 7:56 PM UTC

@laraghavan

1 Feb 2016

Replying to @bilcorry

@bilcorry @jeremiahg @planetlevel @paypaleng Oh, I meant to say that we were NOT using any of the vulnerable classes in our core frameworks

Jeff Williams · Feb 2, 2016 · 12:30 AM UTC

Jeff Williams @planetlevel

2 Feb 2016

Replying to @bilcorry

@bilcorry @jeremiahg @paypaleng that's how I read it too, but they'd still be vulnerable. Deserialization constructs arbitrary classes