Josh Elser created PHOENIX-4189:
-----------------------------------
Summary: Avoid direct use of ObjectInputStream in Hive integration
Key: PHOENIX-4189
URL: https://issues.apache.org/jira/browse/PHOENIX-4189
Project: Phoenix
Issue Type: Bug
Reporter: Josh Elser
Assignee: Josh Elser
Fix For: 4.12.0
Another security scan ding, but not a very big concern.
We use ObjectInputStream to serialize/deserialize a Map which contains the
columns+values of the primary key constraint. The problem with
ObjectInputStream is that it doesn't care what Class it deserializes. If a
malicious user can someone coerce some unknowing user to use an InputSplit that
has this specially crafted class, we can get into an arbitrary code execution.
https://www.ibm.com/developerworks/library/se-lookahead/ outlines a way to work
around this issue in code, but it leaves a bit to be desired. The
ObjectInputStream recursively calls itself as it deserializes the fields in the
Object. By trusting some classes from the packages java.lang, java.util, and
java.sql, I believe we can remove this minor concern.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
