The Spring Integration framework provides Kryo
Codec implementations as an alternative for Java (de)serialization. When
Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when the incoming data contains malicious code for execution during deserialization.
In order to protect against this type of attack,
Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration calls
kryo.setRegistrationRequired(true); (trust no one) by default and pre-configures out-of-the-box
Message<?> implementations as trusted classes. All other types have to be registered with
Kryo using any available
KryoRegistrar strategy injected into a
All the mentioned Spring Integration versions include the fix for this CVE; everybody who’s using Kryo support in Spring Integration is encouraged to upgrade respectively.