[jira] [Updated] (IGNITE-16466) User Object Serialization Security

Evgeny Stanilovsky (Jira) Sun, 19 Oct 2025 23:27:50 -0700


     [ 
https://issues.apache.org/jira/browse/IGNITE-16466?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Evgeny Stanilovsky updated IGNITE-16466:
----------------------------------------
    Fix Version/s: 3.2
                       (was: 3.1)

> User Object Serialization Security
> ----------------------------------
>
>                 Key: IGNITE-16466
>                 URL: https://issues.apache.org/jira/browse/IGNITE-16466
>             Project: Ignite
>          Issue Type: Improvement
>          Components: networking
>            Reporter: Roman Puchkovskiy
>            Priority: Major
>              Labels: ignite-3
>             Fix For: 3.2
>
>
> Recently, there were a lot of vulnerabilities related to the JDK 
> Serialization. User Object Seriailzation supports Serializable and its 
> callbacks, so it is probably also susceptible to the same attacks.
> We could, for example, implement white-lists of the classes we are allowed to 
> deserialize.
> Also, we could restrict ourselves to only allowing classes from known 
> classloaders.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (IGNITE-16466) User Object Serialization Security

Reply via email to