jdk.serial filter is not working for restricting depth of treemap in java

Roger Riggs Roger.Riggs at oracle.com
Tue Aug 13 17:43:28 UTC 2019

Hi Kumar,

The other limits on the number of references (maxref) and size of the 
stream (maxbytes) cover the similar potential cases. The maxarray limit 
is targeted at limiting the size of arrays, different considerations 
apply to other data structures.

Thanks, Roger

On 7/29/19 11:07 PM, Kumar Gaurav wrote:
> Hi All,
> I'm mailing here for the first time and I am unaware of any rules for
> mailing here. If there is any mistake please let me know. Below is my
> question
> JEP 290  <https://openjdk.java.net/jeps/290>solves the problem of
> deserialization vulnerabilities except some collection classes which
> includes TreeMap and LinkedList.
> Can we have any solution or any work around to counter that?
> In our RMI interface we are accepting Objects which may have TreeMap and
> since there's no check on the size of treemap it is vulnerable to DDos
> Attack. We have solution for ArrayList, Hashmap etc, Can we have something
> similar for TreeMap and LinkedList as well?
> Regards,
> Kumar Gaurav

More information about the core-libs-dev mailing list