CVE-2023-36480 CLIENT-2252 DIsable java runtime serialization/deseria…

…lization. Deserialization of java runtime serialized objects has been identified as a security risk by CodeQL team members @atorralba (Tony Torralba) and @joefarebrother (Joseph Farebrother). All existing database objects that are serialized using this serialization format will need to be converted to a safer format (Aerospike native types, protobuf, msgpack, json, xml ...) using a previous client version.
aerospike · Aug 7, 2023 · 66aafb4 · 66aafb4
1 parent 4dad2ce
commit 66aafb4
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 44 deletions.
diff --git a/client/src/com/aerospike/client/Value.java b/client/src/com/aerospike/client/Value.java
@@ -16,8 +16,6 @@
  */
 package com.aerospike.client;
 
-import java.io.ByteArrayOutputStream;
-import java.io.ObjectOutputStream;
 import java.nio.ByteBuffer;
 import java.util.Arrays;
 import java.util.List;
@@ -1278,19 +1276,7 @@ public int estimateSize() throws AerospikeException.Serialize {
 		}
 
 		public static byte[] serialize(Object val) {
-			if (DisableSerializer) {
-				throw new AerospikeException("Object serializer has been disabled");
-			}
-
-			try (ByteArrayOutputStream bstream = new ByteArrayOutputStream()) {
-				try (ObjectOutputStream ostream = new ObjectOutputStream(bstream)) {
-					ostream.writeObject(val);
-				}
-				return bstream.toByteArray();
-			}
-			catch (Throwable e) {
-				throw new AerospikeException.Serialize(e);
-			}
+			throw new AerospikeException("Object serializer has been disabled");
 		}
 
 		@Override

diff --git a/client/src/com/aerospike/client/command/Buffer.java b/client/src/com/aerospike/client/command/Buffer.java
@@ -16,8 +16,6 @@
  */
 package com.aerospike.client.command;
 
-import java.io.ByteArrayInputStream;
-import java.io.ObjectInputStream;
 import java.math.BigInteger;
 import java.nio.charset.StandardCharsets;
 import java.util.Arrays;
@@ -302,18 +300,7 @@ public static Object bytesToObject(byte[] buf, int offset, int length) {
 			return null;
 		}
 
-		if (Value.DisableDeserializer) {
-			throw new AerospikeException.Serialize("Object deserializer has been disabled");
-		}
-
-		try (ByteArrayInputStream bastream = new ByteArrayInputStream(buf, offset, length)) {
-			try (ObjectInputStream oistream = new ObjectInputStream(bastream)) {
-				return oistream.readObject();
-			}
-		}
-		catch (Throwable e) {
-			throw new AerospikeException.Serialize(e);
-		}
+		throw new AerospikeException.Serialize("Object deserializer has been disabled");
 	}
 
 	public static Value bytesToLongValue(byte[] buf, int offset, int len) {

diff --git a/client/src/com/aerospike/client/util/Unpacker.java b/client/src/com/aerospike/client/util/Unpacker.java
@@ -16,9 +16,7 @@
  */
 package com.aerospike.client.util;
 
-import java.io.ByteArrayInputStream;
 import java.io.IOException;
-import java.io.ObjectInputStream;
 import java.nio.ByteBuffer;
 import java.util.AbstractMap;
 import java.util.ArrayList;
@@ -235,19 +233,7 @@ private T unpackBlob(int count) throws IOException, ClassNotFoundException {
 			break;
 
 		case ParticleType.JBLOB:
-			if (Value.DisableDeserializer) {
-				throw new AerospikeException.Serialize("Object deserializer has been disabled");
-			}
-
-			try (ByteArrayInputStream bastream = new ByteArrayInputStream(buffer, offset, count)) {
-				try (ObjectInputStream oistream = new ObjectInputStream(bastream)) {
-					val = getJavaBlob(oistream.readObject());
-				}
-			}
-			catch (Throwable e) {
-				throw new AerospikeException.Serialize(e);
-			}
-			break;
+			throw new AerospikeException.Serialize("Object deserializer has been disabled");
 
 		case ParticleType.GEOJSON:
 			val = getGeoJSON(Buffer.utf8ToString(buffer, offset, count));