[PHOENIX-4189] Avoid direct use of ObjectInputStream in Hive integration - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 4.12.0
Component/s: None
Labels:
None

Description

Another security scan ding, but not a very big concern.

We use ObjectInputStream to serialize/deserialize a Map which contains the columns+values of the primary key constraint. The problem with ObjectInputStream is that it doesn't care what Class it deserializes. If a malicious user can someone coerce some unknowing user to use an InputSplit that has this specially crafted class, we can get into an arbitrary code execution.

https://www.ibm.com/developerworks/library/se-lookahead/ outlines a way to work around this issue in code, but it leaves a bit to be desired. The ObjectInputStream recursively calls itself as it deserializes the fields in the Object. By trusting some classes from the packages java.lang, java.util, and java.sql, I believe we can remove this minor concern.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

PHOENIX-4189_addendum.patch
18/Sep/17 23:30
1 kB
James R. Taylor
PHOENIX-4189.001.patch
09/Sep/17 04:46
12 kB
Josh Elser

Activity

People

Assignee:: Josh Elser

Reporter:: Josh Elser

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 09/Sep/17 04:00

Updated:: 21/Sep/17 18:12

Resolved:: 14/Sep/17 22:46