Dammit, Microsoft! Can't you learn to write secure code...?
VMware has let it be known that its vRealize Orchestrator, vRealize Operations, vCenter Operations and vCenter Application Discovery Manager products all need fixing to harden them against “a critical deserialization vulnerability”. The flaw involves “Apache Commons-collections and a specially constructed chain of classes” and …
Although if you have windows vCenter, you already have Orchestrator pre-installed.
It just isn't enabled to run by default.
Imagine if it was though, and just because you didn't use it, doesn't mean it isn't there ready to cause a security problem..
As you well know there's no such thing as a secure language, at least not one that does useful stuff. However, Java doesn't do the idiotic "write past the end of the buffer and keep going" thing that C does, so in that respect it is more secure. (Well, ok, java isn't bulletproof, but buffer overflows are not a language "feature" like in C.)
>C _enables_ you to do such thing.
Well to be devil's advocate it practically guarantees on any complex code base with successive generations of programmers of varying competence (the norm in corporate enterprise) it will be done multiple times and several may never get caught as a code review may be done half ass by an even more incompetent dev and QA departments are almost always considered nothing but a cost and staffed often with people who struggle to turn a computer on (to reduce costs). A smug C++ 12 dev would mention that smart pointers give the benefits of both worlds but again with the corporate environments love of cheap freshouts and parochial management other much more creative exploits will be generated even if this simple one is eliminated with business rules and processes. What was the point again? Oh yeah groups of people are retarded and generally dumber than their dumbest cog.
Biting the hand that feeds IT © 1998–2021