Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreDear Spring community,
On behalf of the team and everyone who contributed, it is my pleasure to announce a number of maintenance releases for Spring Integration. Mostly these versions contain bug fixes and dependency upgrades.
The Spring Integration framework provides Kryo Codec
implementations as an alternative for Java (de)serialization. When Kryo
is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when the incoming data contains malicious code for execution during deserialization.
In order to protect against this type of attack, Kryo
can be configured to require a set of trusted classes for (de)serialization. Spring Integration calls kryo.setRegistrationRequired(true);
(trust no one) by default and pre-configures out-of-the-box Message<?>
implementations as trusted classes. All other types have to be registered with Kryo
using any available KryoRegistrar
strategy injected into a PojoCodec
.
Credit: ChengGao, ZeZhiLin, Alibaba Cloud Intelligence Security Team https://www.aliyun.com/.
All the mentioned Spring Integration versions include the fix for this CVE; everybody who’s using Kryo support in Spring Integration is encouraged to upgrade respectively.
Cheers,
Artem
Project Page | GitHub Issues | Contributing | Help | Chat