spring-batch icon indicating copy to clipboard operation
spring-batch copied to clipboard

Published 20 hours ago verified publisher icon spring-projects

Deprecate DefaultExecutionContextSerializer

Open fmbenhassine opened this issue 3 years ago • 0 comments
trafficstars

The DefaultExecutionContextSerializer uses DefaultSerializer and DefaultDeserializer from Spring Framework which are both based on Java's built-in object serialization/deserialization mechanisms. Java's object serialization is known to be vulnerable and its usage in SF will be deprecated in v6. Here is an excerpt from SerializationUtils javadocs:

This utility will be deprecated in Spring Framework 6.0 since it uses Java Object Serialization, which allows
arbitrary code to be run and is known for being the source of many Remote Code Execution (RCE) vulnerabilities.
Prefer the use of an external tool (that serializes to JSON, XML, or any other format) which is regularly
checked and updated for not allowing RCE.

Related resources:

fmbenhassine avatar Jun 07 '22 11:06 fmbenhassine