CVE-2023-36480 CLIENT-2252 DIsable java runtime serialization/deseria…

…lization. Deserialization of java runtime serialized objects has been identified as a security risk by CodeQL team members @atorralba (Tony Torralba) and @joefarebrother (Joseph Farebrother). All existing database objects that are serialized using this serialization format will need to be converted to a safer format (Aerospike native types, protobuf, msgpack, json, xml ...) using a previous client version.
aerospike · Aug 7, 2023 · 02bf28e · 02bf28e
1 parent aeda98b
commit 02bf28e
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 47 deletions.
diff --git a/client/src/com/aerospike/client/Value.java b/client/src/com/aerospike/client/Value.java
@@ -16,8 +16,6 @@
  */
 package com.aerospike.client;
 
-import java.io.ByteArrayOutputStream;
-import java.io.ObjectOutputStream;
 import java.nio.ByteBuffer;
 import java.util.Arrays;
 import java.util.List;
@@ -1020,17 +1018,7 @@ public BlobValue(Object object) {
 
 		@Override
 		public int estimateSize() throws AerospikeException.Serialize {
-			try {
-				ByteArrayOutputStream bstream = new ByteArrayOutputStream();
-				ObjectOutputStream ostream = new ObjectOutputStream(bstream);
-				ostream.writeObject(object);
-				ostream.close();
-				bytes = bstream.toByteArray();
-				return bytes.length;
-			}
-			catch (Exception e) {
-				throw new AerospikeException.Serialize(e);
-			}
+			throw new AerospikeException(ResultCode.SERIALIZE_ERROR, "Object serializer has been disabled");
 		}
 
 		@Override

diff --git a/client/src/com/aerospike/client/command/Buffer.java b/client/src/com/aerospike/client/command/Buffer.java
@@ -16,13 +16,12 @@
  */
 package com.aerospike.client.command;
 
-import java.io.ByteArrayInputStream;
-import java.io.ObjectInputStream;
 import java.io.UnsupportedEncodingException;
 import java.math.BigInteger;
 import java.util.Arrays;
 
 import com.aerospike.client.AerospikeException;
+import com.aerospike.client.ResultCode;
 import com.aerospike.client.Value;
 import com.aerospike.client.util.Unpacker;
 
@@ -335,14 +334,7 @@ public static Object bytesToObject(byte[] buf, int offset, int length)
     		return null;
     	}
 
-		try {
-			ByteArrayInputStream bastream = new ByteArrayInputStream(buf, offset, length);
-			ObjectInputStream oistream = new ObjectInputStream(bastream);
-			return oistream.readObject();
-		}
-		catch (Exception e) {
-    		throw new AerospikeException.Serialize(e);
-		}
+		throw new AerospikeException(ResultCode.SERIALIZE_ERROR, "Object deserializer has been disabled");
 	}
 
 	public static Value bytesToLongValue(byte[] buf, int offset, int len) {

diff --git a/client/src/com/aerospike/client/util/Packer.java b/client/src/com/aerospike/client/util/Packer.java
@@ -16,16 +16,14 @@
  */
 package com.aerospike.client.util;
 
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.ObjectOutputStream;
 import java.nio.ByteBuffer;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
 import java.util.Map.Entry;
 
 import com.aerospike.client.AerospikeException;
+import com.aerospike.client.ResultCode;
 import com.aerospike.client.Value;
 import com.aerospike.client.cdt.MapOrder;
 import com.aerospike.client.command.Buffer;
@@ -191,21 +189,7 @@ public void packBytes(byte[] b, int offset, int length) {
 	}
 
 	public void packBlob(Object val) throws AerospikeException {
-		ByteArrayOutputStream bstream = new ByteArrayOutputStream();
-
-		try {
-			ObjectOutputStream ostream = new ObjectOutputStream(bstream);
-			ostream.writeObject(val);
-			ostream.close();
-		}
-		catch (IOException ioe) {
-			throw new AerospikeException.Serialize(ioe);
-		}
-
-		byte[] bytes = bstream.toByteArray();
-        packByteArrayBegin(bytes.length + 1);
-    	packByte(ParticleType.JBLOB);
-    	packByteArray(bytes, 0, bytes.length);
+		throw new AerospikeException(ResultCode.SERIALIZE_ERROR, "Object serializer has been disabled");
 	}
 
 	public void packGeoJSON(String val) {

diff --git a/client/src/com/aerospike/client/util/Unpacker.java b/client/src/com/aerospike/client/util/Unpacker.java
@@ -16,9 +16,7 @@
  */
 package com.aerospike.client.util;
 
-import java.io.ByteArrayInputStream;
 import java.io.IOException;
-import java.io.ObjectInputStream;
 import java.nio.ByteBuffer;
 import java.util.AbstractMap;
 import java.util.ArrayList;
@@ -30,6 +28,7 @@
 import java.util.TreeMap;
 
 import com.aerospike.client.AerospikeException;
+import com.aerospike.client.ResultCode;
 import com.aerospike.client.Value;
 import com.aerospike.client.command.Buffer;
 import com.aerospike.client.command.ParticleType;
@@ -235,10 +234,7 @@ private T unpackBlob(int count) throws IOException, ClassNotFoundException {
 			break;
 
 		case ParticleType.JBLOB:
-			ByteArrayInputStream bastream = new ByteArrayInputStream(buffer, offset, count);
-			ObjectInputStream oistream = new ObjectInputStream(bastream);
-			val = getJavaBlob(oistream.readObject());
-			break;
+			throw new AerospikeException(ResultCode.SERIALIZE_ERROR, "Object deserializer has been disabled");
 
 		case ParticleType.GEOJSON:
 			val = getGeoJSON(Buffer.utf8ToString(buffer, offset, count));