## Critical Vulnerability Information - **CVE ID**: CVE-2019-0189 - **Fix Content**: Improved the ObjectInputStream class ### Report and Fix Details - **Reporter**: Dikpal Kanungo - **Fixer**: Jacques Le Roux (jak...@les7arts.com) - **Fix Date**: February 24, 2020 ### Vulnerability Cause and Fix Steps - **Cause**: Issue caused by GString, specifically in the `result.successMessageList` variable within the `createMissingCategoryAndProductAltUrls()` method. - **Fix Measures**: Added necessary `GStringImpl` and `GString` classes to the `listOfSafeObjectsForInputStream` whitelist in the `SafeObjectInputStream.properties` file. ### Code Changes #### SafeObjectInputStream.properties - **Before Modification** ```properties # listOfSafeObjectsForInputStream=byte\\\\[[\\]], foo, SerializationInjector, \\\\Z,\\\\[B,\\\\[S,\\\\[I,\\\\[J,\\\\[F,\\\\[D,\\\\[C, java..*, sun.util.calendar..*, org.apache.ofbiz..* ``` - **After Modification** ```properties listOfSafeObjectsForInputStream=byte\\\\[[\\]], foo, SerializationInjector, \\\\Z,\\\\[B,\\\\[S,\\\\[I,\\\\[J,\\\\[F,\\\\[D,\\\\[C, java..*, sun.util.calendar..*, org.apache.ofbiz..*, org.codehaus.groovy.runtime.GStringImpl, groovy.lang.GString ``` #### SafeObjectInputStream.java - **Before Modification** ```java private static final String[] DEFAULT_WHITELIST_PATTERN = { "byte\[\[\]\]", "foo", "SerializationInjector", "\[Z", "\[B", "\[S", "\[I", "\[J", "\[F", "\[D", "\[C", "java..*", "sun.util.calendar..*", "org.apache.ofbiz..*" }; ``` - **After Modification** ```java private static final String[] DEFAULT_WHITELIST_PATTERN = { "byte\[\[\]\]", "foo", "SerializationInjector", "\[Z", "\[B", "\[S", "\[I", "\[J", "\[F", "\[D", "\[C", "java..*", "sun.util.calendar..*", "org.apache.ofbiz..*", "org.codehaus.groovy.runtime.GStringImpl", "groovy.lang.GString" }; ```