en/blog/security-notices/index.xml - dubbo-website - Git at Google

 <rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Apache Dubbo – Security notices</title><link>https://dubbo.apache.org/en/blog/security-notices/</link><description>Recent content in Security notices on Apache Dubbo</description><generator>Hugo -- gohugo.io</generator><language>en</language><atom:link href="https://dubbo.apache.org/en/blog/security-notices/index.xml" rel="self" type="application/rss+xml"/><item><title>Blog: Serialization Protocol Security</title><link>https://dubbo.apache.org/en/blog/1/01/01/serialization-protocol-security/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://dubbo.apache.org/en/blog/1/01/01/serialization-protocol-security/</guid><description>
 &lt;p>Dubbo 3 has enhanced the security aspects of serialization protocols and recommends using the Triple protocol in non-Wrapper mode. This protocol is secure by default but requires developers to write IDL files.&lt;/p>
 &lt;p>In the Triple protocol&amp;rsquo;s Wrapper mode, compatibility with other serialization data is allowed, offering good compatibility. However, other protocols may have deserialization security flaws. For the Hessian2 protocol, users who require high-security attributes should enable whitelist mode according to the sample code. The framework will enable blacklist mode by default to block malicious calls.&lt;/p>
 &lt;p>Using other serialization protocols is not recommended. When an attacker can access the Provider interface, security flaws in other serialization protocols may lead to command execution through the Provider interface.&lt;/p>
 &lt;p>If you must use other serialization protocols and wish to maintain some level of security, you should enable the Token authentication mechanism. This will prevent threats to the Provider&amp;rsquo;s security from unauthenticated and untrusted request sources. When enabling Token authentication, you should also enable the authentication feature in the registry.&lt;/p>
 &lt;h2 id="notice">Notice&lt;/h2>
 &lt;p>The following serializations are proved that not safe enough to transfer on network and not recommend to use.&lt;/p>
 &lt;ul>
 &lt;li>native-hessian&lt;/li>
 &lt;li>native-java (Java ObjectOutputStream and ObjectInputStream)&lt;/li>
 &lt;/ul></description></item><item><title>Blog: Security</title><link>https://dubbo.apache.org/en/blog/1/01/01/security/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://dubbo.apache.org/en/blog/1/01/01/security/</guid><description>
 &lt;h2 id="reporting-security-issues">Reporting security issues&lt;/h2>
 &lt;p>The Apache Software Foundation takes a very active stance in eliminating security problems and denial of service attacks against its products.&lt;/p>
 &lt;p>We strongly encourage folks to report such problems to our private security mailing list first, before disclosing them in a public forum.&lt;/p>
 &lt;p>Please note that the security mailing list should only be used for reporting undisclosed security vulnerabilities and managing the process of fixing such vulnerabilities. We cannot accept regular bug reports or other queries at this address. All mail sent to this address that does not relate to an undisclosed security problem in our source code will be ignored.&lt;/p>
 &lt;p>If you need to report a bug that isn&amp;rsquo;t an undisclosed security vulnerability, please use the bug reporting page.&lt;/p>
 &lt;p>The private security mailing address is: &lt;a href="mailto:security@dubbo.apache.org">security@dubbo.apache.org&lt;/a>&lt;/p>
 &lt;p>For more information about how the ASF deals with security potential problems see &lt;a href="https://www.apache.org/security/">https://www.apache.org/security/&lt;/a>&lt;/p>
 &lt;h2 id="security-issues-in-dependencies">Security issues in dependencies&lt;/h2>
 &lt;h3 id="log4j-cve-2021-44228">Log4j CVE-2021-44228&lt;/h3>
 &lt;p>Recently, the mainstream log framework &lt;a href="https://logging.apache.org/log4j/2.x/">log4j2&lt;/a> was reported with a severe security vulnerability &lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228">cve-2021-44228&lt;/a>.&lt;/p>
 &lt;p>The following is a summary of the impact of this vulnerability cve-2021-44228 on the Apache Dubbo framework and the user&amp;rsquo;s guide.&lt;/p>
 &lt;h4 id="potential-influence-on-dubbo">Potential Influence on Dubbo&lt;/h4>
 &lt;p>&lt;strong>CVE-2021-44228 has no security impact on use of Dubbo framework&lt;/strong>&lt;/p>
 &lt;p>Dubbo itself does not rely on the log4j2 framework, nor will it bring log4j2 to the project through dependency transfer. Therefore, Dubbo users of version 2.7.x and 3.0.x do not need to upgrade their Dubbo versions.&lt;/p>
 &lt;p>The following is the dependency analysis of Dubbo components on log4j2, involving &lt;code>Dubbo common&lt;/code>, &lt;code>Dubbo spring boot starter&lt;/code> and &lt;code>Dubbo spring boot actuator&lt;/code>:&lt;/p>
 &lt;ul>
 &lt;li>&lt;code>dubbo-common&lt;/code> optionally depends on &lt;code>log4j-core&lt;/code>. The only need to check is whether the project itself has enabled log4j dependency. If so, upgrade accordingly.&lt;/li>
 &lt;/ul>
 &lt;div class="highlight">&lt;pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-xml" data-lang="xml">&lt;span style="display:flex;">&lt;span>[INFO] --- maven-dependency-plugin:3.1. 2:tree (default-cli) @ dubbo-common ---
 &lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>[INFO] org. apache. dubbo:dubbo-common:jar:2.7. 14-SNAPSHOT
 &lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>[INFO] +- org. apache. logging. log4j:log4j-api:jar:2.11. 1:provided
 &lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>[INFO] \- org. apache. logging. log4j:log4j-core:jar:2.11. 1:provided
 &lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;ul>
 &lt;li>&lt;code>dubbo-spring-boot-starter&lt;/code> transfers log4j-api dependency through spring-boot. log4j-api itself has no security issue. But pay attention to compatibility with log4j-api when upgrading the log4j-core component&lt;/li>
 &lt;/ul>
 &lt;div class="highlight">&lt;pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-xml" data-lang="xml">&lt;span style="display:flex;">&lt;span>[INFO] org. apache. dubbo:dubbo-spring-boot-starter:jar:2.7. 14-SNAPSHOT
 &lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>[INFO] \- org. springframework. boot:spring-boot-starter:jar:2.3. 1.RELEASE:compile (optional)
 &lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>[INFO] \- org. springframework. boot:spring-boot-starter-logging:jar:2.3. 1.RELEASE:compile (optional)
 &lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>[INFO] \- org. apache. logging. log4j:log4j-to-slf4j:jar:2.13. 3:compile (optional)
 &lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>[INFO] \- org. apache. logging. log4j:log4j-api:jar:2.13. 3:compile (optional)
 &lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;ul>
 &lt;li>&lt;code>dubbo-spring-boot-actuator&lt;/code> transfers log4j-api dependency through spring-boot. log4j-api itself has no security issue. But pay attention to compatibility with log4j-api when upgrading the log4j-core component&lt;/li>
 &lt;/ul>
 &lt;div class="highlight">&lt;pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-xml" data-lang="xml">&lt;span style="display:flex;">&lt;span>[INFO] org. apache. dubbo:dubbo-spring-boot-actuator:jar:2.7. 14-SNAPSHOT
 &lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>[INFO] \- org. springframework. boot:spring-boot-starter-web:jar:2.3. 1.RELEASE:compile (optional)
 &lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>[INFO] \- org. springframework. boot:spring-boot-starter:jar:2.3. 1.RELEASE:compile
 &lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>[INFO] \- org. springframework. boot:spring-boot-starter-logging:jar:2.3. 1.RELEASE:compile
 &lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>[INFO] \- org. apache. logging. log4j:log4j-to-slf4j:jar:2.13. 3:compile
 &lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>[INFO] \- org. apache. logging. log4j:log4j-api:jar:2.13. 3:compile
 &lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;h2 id="security-model">Security Model&lt;/h2>
 &lt;h3 id="third-party-deserialization-library-vulnerabilities">Third-party Deserialization Library Vulnerabilities&lt;/h3>
 &lt;p>Dubbo supports the extension of serialization protocol. Theoretically, users can enable serialization protocol with arbitrary order based on the extension mechanism, which brings great flexibility, but at the same time, they should be aware of the potential security risks.
 Data deserialization is one of the most vulnerable links to be exploited by attackers. Attackers use it to steal or destroy server-side data, such as rce attack.
 Before switching the serialization protocol or implementation, the user should fully investigate the security guarantee of target serialization protocol and its framework implementation, and set corresponding security measures in advance (such as setting Black / white list). The Dubbo framework itself cannot guarantee the security of the target serialization mechanism.&lt;/p>
 &lt;p>Dubbo 2.7 The official version provides the following serialization protocols:&lt;/p>
 &lt;ul>
 &lt;li>Hessian2&lt;/li>
 &lt;li>Fastjson&lt;/li>
 &lt;li>Kryo&lt;/li>
 &lt;li>FST&lt;/li>
 &lt;li>JDK&lt;/li>
 &lt;li>Protostuff/Protobuf&lt;/li>
 &lt;li>Avro&lt;/li>
 &lt;li>Gson&lt;/li>
 &lt;/ul>
 &lt;p>For the above serialization extension, after finding or receiving the relevant vulnerability report, Dubbo will follow up and upgrade to the latest security version, but the final vulnerability repair scheme depends on the serialization framework implementation.&lt;/p>
 &lt;blockquote>
 &lt;p>For users using &lt;a href="https://github.com/apache/dubbo-hessian-lite/releases">dubbo hessian2&lt;/a>, Dubbo will guarantee the security of Hessian 2 serialization mechanism and repair the reported security vulnerabilities as much as possible&lt;/p>
 &lt;/blockquote>
 &lt;p>If you have any questions or security issues, please send mail to here &lt;a href="mailto:security@dubbo.apache.org">security@dubbo.apache.org&lt;/a>&lt;/p>
 &lt;h4 id="some-suggestions-to-deal-with-the-security-vulnerability-of-deserialization">Some suggestions to deal with the security vulnerability of deserialization&lt;/h4>
 &lt;ul>
 &lt;li>External network access restrictions&lt;/li>
 &lt;/ul>
 &lt;p>According to the research, most of the existing deserialization utilization chains need to load malicious classes remotely. If there is no special requirement, it is recommended to configure the server out of the Internet without affecting the business.&lt;/p>
 &lt;ul>
 &lt;li>IP white list&lt;/li>
 &lt;/ul>
 &lt;p>It is suggested that the Server developer add the consumer IP that can connect to the Dubbo server to the trusted IP white list, and configure the trusted IP white list on the server to prevent the attacker from directly initiating the connection request externally.&lt;/p>
 &lt;ul>
 &lt;li>More secure deserialization&lt;/li>
 &lt;/ul>
 &lt;p>The protocol and deserialization method can be changed without affecting the business, such as rest, grpc, thrift, etc.&lt;/p>
 &lt;ul>
 &lt;li>Close the public network port&lt;/li>
 &lt;/ul>
 &lt;p>Do not expose the open port of Dubbo server to the public network. But pay attention to the exceptional, if the attacker is in the Intranet environment, he can still attack.&lt;/p>
 &lt;ul>
 &lt;li>Enable filtering of incoming serialization data for Java default serialization&lt;br>
 Remember to configure filtering rules before enabling Java default serialization.
 This feature is first supported in JDK 9 and has been back-ported to JDK 8, 7, and 6.&lt;br>
 &lt;a href="https://docs.oracle.com/javase/10/core/serialization-filtering1.htm#JSCOR-GUID-3ECB288D-E5BD-4412-892F-E9BB11D4C98A">https://docs.oracle.com/javase/10/core/serialization-filtering1.htm#JSCOR-GUID-3ECB288D-E5BD-4412-892F-E9BB11D4C98A&lt;/a>&lt;br>
 &lt;a href="http://openjdk.java.net/jeps/290">http://openjdk.java.net/jeps/290&lt;/a>&lt;/li>
 &lt;/ul></description></item></channel></rss>
	<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Apache Dubbo – Security notices</title><link>https://dubbo.apache.org/en/blog/security-notices/</link><description>Recent content in Security notices on Apache Dubbo</description><generator>Hugo -- gohugo.io</generator><language>en</language><atom:link href="https://dubbo.apache.org/en/blog/security-notices/index.xml" rel="self" type="application/rss+xml"/><item><title>Blog: Serialization Protocol Security</title><link>https://dubbo.apache.org/en/blog/1/01/01/serialization-protocol-security/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://dubbo.apache.org/en/blog/1/01/01/serialization-protocol-security/</guid><description>
	<p>Dubbo 3 has enhanced the security aspects of serialization protocols and recommends using the Triple protocol in non-Wrapper mode. This protocol is secure by default but requires developers to write IDL files.</p>
	<p>In the Triple protocol&rsquo;s Wrapper mode, compatibility with other serialization data is allowed, offering good compatibility. However, other protocols may have deserialization security flaws. For the Hessian2 protocol, users who require high-security attributes should enable whitelist mode according to the sample code. The framework will enable blacklist mode by default to block malicious calls.</p>
	<p>Using other serialization protocols is not recommended. When an attacker can access the Provider interface, security flaws in other serialization protocols may lead to command execution through the Provider interface.</p>
	<p>If you must use other serialization protocols and wish to maintain some level of security, you should enable the Token authentication mechanism. This will prevent threats to the Provider&rsquo;s security from unauthenticated and untrusted request sources. When enabling Token authentication, you should also enable the authentication feature in the registry.</p>
	<h2 id="notice">Notice</h2>
	<p>The following serializations are proved that not safe enough to transfer on network and not recommend to use.</p>
	<ul>
	<li>native-hessian</li>
	<li>native-java (Java ObjectOutputStream and ObjectInputStream)</li>
	</ul></description></item><item><title>Blog: Security</title><link>https://dubbo.apache.org/en/blog/1/01/01/security/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://dubbo.apache.org/en/blog/1/01/01/security/</guid><description>
	<h2 id="reporting-security-issues">Reporting security issues</h2>
	<p>The Apache Software Foundation takes a very active stance in eliminating security problems and denial of service attacks against its products.</p>
	<p>We strongly encourage folks to report such problems to our private security mailing list first, before disclosing them in a public forum.</p>
	<p>Please note that the security mailing list should only be used for reporting undisclosed security vulnerabilities and managing the process of fixing such vulnerabilities. We cannot accept regular bug reports or other queries at this address. All mail sent to this address that does not relate to an undisclosed security problem in our source code will be ignored.</p>
	<p>If you need to report a bug that isn&rsquo;t an undisclosed security vulnerability, please use the bug reporting page.</p>
	<p>The private security mailing address is: <a href="mailto:security@dubbo.apache.org">security@dubbo.apache.org</a></p>
	<p>For more information about how the ASF deals with security potential problems see <a href="https://www.apache.org/security/">https://www.apache.org/security/</a></p>
	<h2 id="security-issues-in-dependencies">Security issues in dependencies</h2>
	<h3 id="log4j-cve-2021-44228">Log4j CVE-2021-44228</h3>
	<p>Recently, the mainstream log framework <a href="https://logging.apache.org/log4j/2.x/">log4j2</a> was reported with a severe security vulnerability <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228">cve-2021-44228</a>.</p>
	<p>The following is a summary of the impact of this vulnerability cve-2021-44228 on the Apache Dubbo framework and the user&rsquo;s guide.</p>
	<h4 id="potential-influence-on-dubbo">Potential Influence on Dubbo</h4>
	<p><strong>CVE-2021-44228 has no security impact on use of Dubbo framework</strong></p>
	<p>Dubbo itself does not rely on the log4j2 framework, nor will it bring log4j2 to the project through dependency transfer. Therefore, Dubbo users of version 2.7.x and 3.0.x do not need to upgrade their Dubbo versions.</p>
	<p>The following is the dependency analysis of Dubbo components on log4j2, involving <code>Dubbo common</code>, <code>Dubbo spring boot starter</code> and <code>Dubbo spring boot actuator</code>:</p>
	<ul>
	<li><code>dubbo-common</code> optionally depends on <code>log4j-core</code>. The only need to check is whether the project itself has enabled log4j dependency. If so, upgrade accordingly.</li>
	</ul>
	<div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-xml" data-lang="xml"><span style="display:flex;"><span>[INFO] --- maven-dependency-plugin:3.1. 2:tree (default-cli) @ dubbo-common ---
	</span></span><span style="display:flex;"><span>[INFO] org. apache. dubbo:dubbo-common:jar:2.7. 14-SNAPSHOT
	</span></span><span style="display:flex;"><span>[INFO] +- org. apache. logging. log4j:log4j-api:jar:2.11. 1:provided
	</span></span><span style="display:flex;"><span>[INFO] \- org. apache. logging. log4j:log4j-core:jar:2.11. 1:provided
	</span></span></code></pre></div><ul>
	<li><code>dubbo-spring-boot-starter</code> transfers log4j-api dependency through spring-boot. log4j-api itself has no security issue. But pay attention to compatibility with log4j-api when upgrading the log4j-core component</li>
	</ul>
	<div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-xml" data-lang="xml"><span style="display:flex;"><span>[INFO] org. apache. dubbo:dubbo-spring-boot-starter:jar:2.7. 14-SNAPSHOT
	</span></span><span style="display:flex;"><span>[INFO] \- org. springframework. boot:spring-boot-starter:jar:2.3. 1.RELEASE:compile (optional)
	</span></span><span style="display:flex;"><span>[INFO] \- org. springframework. boot:spring-boot-starter-logging:jar:2.3. 1.RELEASE:compile (optional)
	</span></span><span style="display:flex;"><span>[INFO] \- org. apache. logging. log4j:log4j-to-slf4j:jar:2.13. 3:compile (optional)
	</span></span><span style="display:flex;"><span>[INFO] \- org. apache. logging. log4j:log4j-api:jar:2.13. 3:compile (optional)
	</span></span></code></pre></div><ul>
	<li><code>dubbo-spring-boot-actuator</code> transfers log4j-api dependency through spring-boot. log4j-api itself has no security issue. But pay attention to compatibility with log4j-api when upgrading the log4j-core component</li>
	</ul>
	<div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-xml" data-lang="xml"><span style="display:flex;"><span>[INFO] org. apache. dubbo:dubbo-spring-boot-actuator:jar:2.7. 14-SNAPSHOT
	</span></span><span style="display:flex;"><span>[INFO] \- org. springframework. boot:spring-boot-starter-web:jar:2.3. 1.RELEASE:compile (optional)
	</span></span><span style="display:flex;"><span>[INFO] \- org. springframework. boot:spring-boot-starter:jar:2.3. 1.RELEASE:compile
	</span></span><span style="display:flex;"><span>[INFO] \- org. springframework. boot:spring-boot-starter-logging:jar:2.3. 1.RELEASE:compile
	</span></span><span style="display:flex;"><span>[INFO] \- org. apache. logging. log4j:log4j-to-slf4j:jar:2.13. 3:compile
	</span></span><span style="display:flex;"><span>[INFO] \- org. apache. logging. log4j:log4j-api:jar:2.13. 3:compile
	</span></span></code></pre></div><h2 id="security-model">Security Model</h2>
	<h3 id="third-party-deserialization-library-vulnerabilities">Third-party Deserialization Library Vulnerabilities</h3>
	<p>Dubbo supports the extension of serialization protocol. Theoretically, users can enable serialization protocol with arbitrary order based on the extension mechanism, which brings great flexibility, but at the same time, they should be aware of the potential security risks.
	Data deserialization is one of the most vulnerable links to be exploited by attackers. Attackers use it to steal or destroy server-side data, such as rce attack.
	Before switching the serialization protocol or implementation, the user should fully investigate the security guarantee of target serialization protocol and its framework implementation, and set corresponding security measures in advance (such as setting Black / white list). The Dubbo framework itself cannot guarantee the security of the target serialization mechanism.</p>
	<p>Dubbo 2.7 The official version provides the following serialization protocols:</p>
	<ul>
	<li>Hessian2</li>
	<li>Fastjson</li>
	<li>Kryo</li>
	<li>FST</li>
	<li>JDK</li>
	<li>Protostuff/Protobuf</li>
	<li>Avro</li>
	<li>Gson</li>
	</ul>
	<p>For the above serialization extension, after finding or receiving the relevant vulnerability report, Dubbo will follow up and upgrade to the latest security version, but the final vulnerability repair scheme depends on the serialization framework implementation.</p>
	<blockquote>
	<p>For users using <a href="https://github.com/apache/dubbo-hessian-lite/releases">dubbo hessian2</a>, Dubbo will guarantee the security of Hessian 2 serialization mechanism and repair the reported security vulnerabilities as much as possible</p>
	</blockquote>
	<p>If you have any questions or security issues, please send mail to here <a href="mailto:security@dubbo.apache.org">security@dubbo.apache.org</a></p>
	<h4 id="some-suggestions-to-deal-with-the-security-vulnerability-of-deserialization">Some suggestions to deal with the security vulnerability of deserialization</h4>
	<ul>
	<li>External network access restrictions</li>
	</ul>
	<p>According to the research, most of the existing deserialization utilization chains need to load malicious classes remotely. If there is no special requirement, it is recommended to configure the server out of the Internet without affecting the business.</p>
	<ul>
	<li>IP white list</li>
	</ul>
	<p>It is suggested that the Server developer add the consumer IP that can connect to the Dubbo server to the trusted IP white list, and configure the trusted IP white list on the server to prevent the attacker from directly initiating the connection request externally.</p>
	<ul>
	<li>More secure deserialization</li>
	</ul>
	<p>The protocol and deserialization method can be changed without affecting the business, such as rest, grpc, thrift, etc.</p>
	<ul>
	<li>Close the public network port</li>
	</ul>
	<p>Do not expose the open port of Dubbo server to the public network. But pay attention to the exceptional, if the attacker is in the Intranet environment, he can still attack.</p>
	<ul>
	<li>Enable filtering of incoming serialization data for Java default serialization<br>
	Remember to configure filtering rules before enabling Java default serialization.
	This feature is first supported in JDK 9 and has been back-ported to JDK 8, 7, and 6.<br>
	<a href="https://docs.oracle.com/javase/10/core/serialization-filtering1.htm#JSCOR-GUID-3ECB288D-E5BD-4412-892F-E9BB11D4C98A">https://docs.oracle.com/javase/10/core/serialization-filtering1.htm#JSCOR-GUID-3ECB288D-E5BD-4412-892F-E9BB11D4C98A</a><br>
	<a href="http://openjdk.java.net/jeps/290">http://openjdk.java.net/jeps/290</a></li>
	</ul></description></item></channel></rss>