Roman Puchkovskiy created IGNITE-16466:
------------------------------------------
Summary: User Object Serialization Security
Key: IGNITE-16466
URL: https://issues.apache.org/jira/browse/IGNITE-16466
Project: Ignite
Issue Type: Improvement
Components: networking
Reporter: Roman Puchkovskiy
Fix For: 3.0.0-alpha5
Recently, there were a lot of vulnerabilities related to the JDK Serialization.
User Object Seriailzation supports Serializable and its callbacks, so it is
probably also susceptible to the same attacks.
We could, for example, implement white-lists of the classes we are allowed to
deserialize.
Also, we could restrict ourselves to only allowing classes from known
classloaders.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
