[jira] [Commented] (HBASE-20894) Move BucketCache from java serialization to protobuf

Wed, 18 Jul 2018 20:09:36 -0700 


    [ 
https://issues.apache.org/jira/browse/HBASE-20894?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16548729#comment-16548729
 ] 

Mike Drob commented on HBASE-20894:
-----------------------------------

There are specific security issues with Java Object Serialization that are not 
present in protobuf, thrift, kryo, avro, etc... There may be other issues 
present in those libraries, so details matter. The link I provided has specific 
examples for how ObjectInputStream can behave badly.

I also do not think this is a significant security issue - if it were, then it 
would have been handled as a private jira with an associated CVE and following 
the standard ASF security practices.

Security auditors like to run scans and check checkboxes. This is something 
that can come up in one of those scans. As the code exists right now, setting 
file system permissions is completely sufficient, but security issues have a 
nasty way of coming up exactly when you aren't looking for them and I'd be hard 
pressed to prove that this couldn't be used as a part of some larger privilege 
escalation in the future. So, we can "fix" it by using a different ser/de 
technique.

I'm still having trouble discerning the severity of your stance on this issue. 
Would you be a "-1 don't do this, it's actively harmful" or "-0 I think it's a 
waste of time but I'm not going to stop you" if you had to commit to a 
position? Or something else entirely?

> Move BucketCache from java serialization to protobuf
> ----------------------------------------------------
>
>                 Key: HBASE-20894
>                 URL: https://issues.apache.org/jira/browse/HBASE-20894
>             Project: HBase
>          Issue Type: Task
>          Components: BucketCache
>    Affects Versions: 2.0.0
>            Reporter: Mike Drob
>            Priority: Major
>             Fix For: 3.0.0
>
>         Attachments: HBASE-20894.WIP-2.patch, HBASE-20894.WIP.patch
>
>
> We should use a better serialization format instead of Java Serialization for 
> the BucketCache entry persistence.
> Suggested by Chris McCown, who does not appear to have a JIRA account.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to