th555555 opened a new pull request, #3288: URL: https://github.com/apache/celeborn/pull/3288
**Description**: Fixes a critical security vulnerability in the fromJson method that could allow remote code execution through Json deserialization attacks. **Security Issue:** Before: Used shared MAPPER instance without security controls, vulnerable to polymorphic deserialization attacks After: Creates ObjectMapper with deactivateDefaultTyping() to prevent gadget chain exploitation Changes: Replace shared MAPPER.readValue() with secure ObjectMapper configuration Add deactivateDefaultTyping() to prevent polymorphic deserialization vulnerabilities Add JacksonAnnotationIntrospector for proper annotation handling Improve error handling with specific JsonParseException catch Add necessary Jackson imports for security classes **Security Impact:** Risk Level: Critical (Remote Code Execution) Attack Vector: Malicious JSON payloads exploiting polymorphic deserialization Fix: Prevents gadget chain attacks by disabling dangerous default typing feature **Vulnerability Details:** CWE-502: Deserialization of Untrusted Data CVE Pattern: Similar to CVE-2017-7525, CVE-2017-15095 (Jackson RCE vulnerabilities) OWASP: A08:2021 – Software and Data Integrity Failures **Reference**: https://github.com/dogtagpki/pki/commit/1ca4e256e058ef01d29649336c268db7e1e9259e -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
