[
https://issues.apache.org/jira/browse/FLINK-6421?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15990201#comment-15990201
]
Greg Hogan commented on FLINK-6421:
-----------------------------------
Please describe the attack in greater detail. I am only seeing that we are
loading a class, not executing arbitrary code, and that the user class itself
can do these things. The data stream should be protected by SSL.
> Unchecked reflection calls in PojoSerializer
> --------------------------------------------
>
> Key: FLINK-6421
> URL: https://issues.apache.org/jira/browse/FLINK-6421
> Project: Flink
> Issue Type: Bug
> Reporter: Ted Yu
> Priority: Minor
>
> Here is one example:
> {code}
> String subclassName = source.readUTF();
> try {
> actualSubclass = Class.forName(subclassName, true, cl);
> {code}
> subclassName may carry tainted value, allowing an attacker to bypass security
> checks, obtain unauthorized data, or execute arbitrary code
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
