You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ignite.apache.org by "Vyacheslav Koptilin (Jira)" <ji...@apache.org> on 2022/10/18 12:33:00 UTC

[jira] [Updated] (IGNITE-16466) User Object Serialization Security

     [ https://issues.apache.org/jira/browse/IGNITE-16466?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Vyacheslav Koptilin updated IGNITE-16466:
-----------------------------------------
    Fix Version/s: 3.0.0-beta2
                       (was: 3.0.0-beta1)

> User Object Serialization Security
> ----------------------------------
>
>                 Key: IGNITE-16466
>                 URL: https://issues.apache.org/jira/browse/IGNITE-16466
>             Project: Ignite
>          Issue Type: Improvement
>          Components: networking
>            Reporter: Roman Puchkovskiy
>            Priority: Major
>              Labels: ignite-3
>             Fix For: 3.0.0-beta2
>
>
> Recently, there were a lot of vulnerabilities related to the JDK Serialization. User Object Seriailzation supports Serializable and its callbacks, so it is probably also susceptible to the same attacks.
> We could, for example, implement white-lists of the classes we are allowed to deserialize.
> Also, we could restrict ourselves to only allowing classes from known classloaders.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)