[
https://issues.apache.org/jira/browse/PHOENIX-4189?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16165351#comment-16165351
]
Josh Elser commented on PHOENIX-4189:
-------------------------------------
Ping [~sergey.soldatov] ;)
Looks like the tests passed. Could you take a glance please?
> Avoid direct use of ObjectInputStream in Hive integration
> ---------------------------------------------------------
>
> Key: PHOENIX-4189
> URL: https://issues.apache.org/jira/browse/PHOENIX-4189
> Project: Phoenix
> Issue Type: Bug
> Reporter: Josh Elser
> Assignee: Josh Elser
> Fix For: 4.12.0
>
> Attachments: PHOENIX-4189.001.patch
>
>
> Another security scan ding, but not a very big concern.
> We use ObjectInputStream to serialize/deserialize a Map which contains the
> columns+values of the primary key constraint. The problem with
> ObjectInputStream is that it doesn't care what Class it deserializes. If a
> malicious user can someone coerce some unknowing user to use an InputSplit
> that has this specially crafted class, we can get into an arbitrary code
> execution.
> https://www.ibm.com/developerworks/library/se-lookahead/ outlines a way to
> work around this issue in code, but it leaves a bit to be desired. The
> ObjectInputStream recursively calls itself as it deserializes the fields in
> the Object. By trusting some classes from the packages java.lang, java.util,
> and java.sql, I believe we can remove this minor concern.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
