phoenix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Josh Elser (JIRA)" <>
Subject [jira] [Created] (PHOENIX-4189) Avoid direct use of ObjectInputStream in Hive integration
Date Sat, 09 Sep 2017 04:01:00 GMT
Josh Elser created PHOENIX-4189:

             Summary: Avoid direct use of ObjectInputStream in Hive integration
                 Key: PHOENIX-4189
             Project: Phoenix
          Issue Type: Bug
            Reporter: Josh Elser
            Assignee: Josh Elser
             Fix For: 4.12.0

Another security scan ding, but not a very big concern.

We use ObjectInputStream to serialize/deserialize a Map which contains the columns+values
of the primary key constraint. The problem with ObjectInputStream is that it doesn't care
what Class it deserializes. If a malicious user can someone coerce some unknowing user to
use an InputSplit that has this specially crafted class, we can get into an arbitrary code
execution. outlines a way to work around this
issue in code, but it leaves a bit to be desired. The ObjectInputStream recursively calls
itself as it deserializes the fields in the Object. By trusting some classes from the packages
java.lang, java.util, and java.sql, I believe we can remove this minor concern.

This message was sent by Atlassian JIRA

View raw message