https://community.sap.com/t5/application-development-and-automation-discussions/zero-day-exploit-at-java-lib-common-collections/m-p/11403927#M1925362 <HTML><HEAD></HEAD><BODY><P>Hey everybody,</P><P></P><P>I wanted to give you an update on this.</P><P></P><P>After contacting SAP I go the answer that both SAP ABAP and SAP JAVA do not use this library.</P><P>I could confirm this after I have done the search for the vulnerable library.</P><P></P><P>Please remember that this is not a official statement, that you may not be affected. This is just a hint that we seem to be quite safe using SAP.</P><P></P><P>In case&nbsp; you want to know if you are affected please open an OSS message at SAP.</P><P></P><P>Regards,</P><P>Niklas</P></BODY></HTML> Fri, 04 Dec 2015 12:01:43 GMT nthsol 2015-12-04T12:01:43Z https://community.sap.com/t5/application-development-and-automation-discussions/zero-day-exploit-at-java-lib-common-collections/m-p/11403926#M1925361 <HTML><HEAD></HEAD><BODY><P>Hi Gurus,</P><P></P><P>I found the a post stating there is a Zero-Day exploit in the common collections function InvokerTransformer. Found by Gabriel Lawrence and Chris Frohoff shown in their presentation. <BR /><A href="http://de.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles">http://de.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles</A></P><P></P><P>Until now I have found no SAP Security Notes relating to this and stating a possible solution or how if there are any tools affected.</P><P></P><P>Did anyone find any document related to this?</P><P></P><P>Edit: There was already an other post to this topic -&gt; <A __default_attr="3824663" __jive_macro_name="thread" class="jive_macro_thread jive_macro" href="https://community.sap.com/"></A></P><P></P><P>Kind regards,</P><P>Niklas</P></BODY></HTML> Tue, 17 Nov 2015 10:12:09 GMT https://community.sap.com/t5/application-development-and-automation-discussions/zero-day-exploit-at-java-lib-common-collections/m-p/11403926#M1925361 nthsol 2015-11-17T10:12:09Z https://community.sap.com/t5/application-development-and-automation-discussions/zero-day-exploit-at-java-lib-common-collections/m-p/11403927#M1925362 <HTML><HEAD></HEAD><BODY><P>Hey everybody,</P><P></P><P>I wanted to give you an update on this.</P><P></P><P>After contacting SAP I go the answer that both SAP ABAP and SAP JAVA do not use this library.</P><P>I could confirm this after I have done the search for the vulnerable library.</P><P></P><P>Please remember that this is not a official statement, that you may not be affected. This is just a hint that we seem to be quite safe using SAP.</P><P></P><P>In case&nbsp; you want to know if you are affected please open an OSS message at SAP.</P><P></P><P>Regards,</P><P>Niklas</P></BODY></HTML> Fri, 04 Dec 2015 12:01:43 GMT https://community.sap.com/t5/application-development-and-automation-discussions/zero-day-exploit-at-java-lib-common-collections/m-p/11403927#M1925362 nthsol 2015-12-04T12:01:43Z