-
Notifications
You must be signed in to change notification settings - Fork 38.2k
Commit
Since SerializationUtils#deserialize is based on Java's serialization mechanism, it can be the source of Remote Code Execution (RCE) vulnerabilities. Closes gh-28075
- Loading branch information
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -150,7 +150,7 @@ private static CacheOperationInvoker.ThrowableWrapper rewriteCallStack( | |
@Nullable | ||
private static <T extends Throwable> T cloneException(T exception) { | ||
try { | ||
return (T) SerializationUtils.deserialize(SerializationUtils.serialize(exception)); | ||
This comment was marked as off-topic.
Sorry, something went wrong. |
||
return SerializationUtils.clone(exception); | ||
This comment was marked as off-topic.
Sorry, something went wrong.
tengyer
|
||
} | ||
catch (Exception ex) { | ||
return null; // exception parameter cannot be cloned | ||
|
8 comments
on commit 7f7fb58
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are there specific detection and defense rules?
In general we recommend that Java Serialization never be used with untrusted sources.
In addition, SerializationUtils
now contains a warning which provides a link to guidance provided by the Java team.
spring-framework/spring-core/src/main/java/org/springframework/util/SerializationUtils.java
Lines 33 to 36 in 02d3e00
* <p><strong>WARNING</strong>: These utilities should be used with caution. See | |
* <a href="https://www.oracle.com/java/technologies/javase/seccodeguide.html#8" | |
* target="_blank">Secure Coding Guidelines for the Java Programming Language</a> | |
* for details. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This commit does not resolve any already existing vulnerabilities and has nothing to do with spring core RCE. Just stop spamming this commit.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This commit does not resolve any already existing vulnerabilities and has nothing to do with spring core RCE. Just stop spamming this commit.
What @Kontinuation said is correct.
The purpose of this commit is to inform anyone who had previously been using SerializationUtils#deserialize
that it is dangerous to deserialize objects from untrusted sources.
The core Spring Framework does not use SerializationUtils
to deserialize objects from untrusted sources.
If you believe you have discovered a security issue, please report it responsibly with the dedicated page: https://spring.io/security-policy
And please refrain from posting any additional comments to this commit.
Thank you
1