[
https://issues.apache.org/jira/browse/PHOENIX-4189?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16175219#comment-16175219
]
Hudson commented on PHOENIX-4189:
---------------------------------
FAILURE: Integrated in Jenkins build Phoenix-master #1806 (See
[https://builds.apache.org/job/Phoenix-master/1806/])
PHOENIX-4189 Introduce a class that wraps the Map of primary key data (jtaylor:
rev e47e78477802940148b6457021a6362cefb002e6)
* (edit) phoenix-hive/src/main/java/org/apache/phoenix/hive/PrimaryKeyData.java
> Avoid direct use of ObjectInputStream in Hive integration
> ---------------------------------------------------------
>
> Key: PHOENIX-4189
> URL: https://issues.apache.org/jira/browse/PHOENIX-4189
> Project: Phoenix
> Issue Type: Bug
> Reporter: Josh Elser
> Assignee: Josh Elser
> Fix For: 4.12.0
>
> Attachments: PHOENIX-4189.001.patch, PHOENIX-4189_addendum.patch
>
>
> Another security scan ding, but not a very big concern.
> We use ObjectInputStream to serialize/deserialize a Map which contains the
> columns+values of the primary key constraint. The problem with
> ObjectInputStream is that it doesn't care what Class it deserializes. If a
> malicious user can someone coerce some unknowing user to use an InputSplit
> that has this specially crafted class, we can get into an arbitrary code
> execution.
> https://www.ibm.com/developerworks/library/se-lookahead/ outlines a way to
> work around this issue in code, but it leaves a bit to be desired. The
> ObjectInputStream recursively calls itself as it deserializes the fields in
> the Object. By trusting some classes from the packages java.lang, java.util,
> and java.sql, I believe we can remove this minor concern.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
