Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.0.0-alpha2
    • Component/s: None
    • Labels:
      None

      Description

      The WriteableRPCEninge depends on Java's serialization mechanisms for RPC requests. Without proper checks, it has be shown that it can lead to security vulnerabilities such as remote code execution (e.g., COLLECTIONS-580, HADOOP-12577).

      The current implementation has migrated from WriteableRPCEngine to ProtobufRPCEngine now. This jira proposes to deprecate WriteableRPCEngine in branch-2 and to remove it in trunk.

        Attachments

        1. HADOOP-12579-v1.patch
          61 kB
          Kai Zheng
        2. HADOOP-12579-v10.patch
          103 kB
          Kai Zheng
        3. HADOOP-12579-v11.patch
          103 kB
          Kai Zheng
        4. HADOOP-12579-v12.patch
          1 kB
          Wei Zhou
        5. HADOOP-12579-v3.patch
          86 kB
          Kai Zheng
        6. HADOOP-12579-v4.patch
          65 kB
          Kai Zheng
        7. HADOOP-12579-v5.patch
          99 kB
          Kai Zheng
        8. HADOOP-12579-v6.patch
          101 kB
          Kai Zheng
        9. HADOOP-12579-v7.patch
          101 kB
          Kai Zheng
        10. HADOOP-12579-v8.patch
          103 kB
          Kai Zheng
        11. HADOOP-12579-v9.patch
          103 kB
          Kai Zheng

          Issue Links

            Activity

              People

              • Assignee:
                zhouwei Wei Zhou
                Reporter:
                wheat9 Haohui Mai
              • Votes:
                0 Vote for this issue
                Watchers:
                17 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: