You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The DefaultExecutionContextSerializer uses DefaultSerializer and DefaultDeserializer from Spring Framework which are both based on Java's built-in object serialization/deserialization mechanisms. Java's object serialization is known to be vulnerable and its usage in SF will be deprecated in v6. Here is an excerpt from SerializationUtils javadocs:
This utility will be deprecated in Spring Framework 6.0 since it uses Java Object Serialization, which allows
arbitrary code to be run and is known for being the source of many Remote Code Execution (RCE) vulnerabilities.
Prefer the use of an external tool (that serializes to JSON, XML, or any other format) which is regularly
checked and updated for not allowing RCE.
The default serializer should be updated to produce/consume Base64 content.
The
DefaultExecutionContextSerializer
usesDefaultSerializer
andDefaultDeserializer
from Spring Framework which are both based on Java's built-in object serialization/deserialization mechanisms. Java's object serialization is known to be vulnerable and its usage in SF will be deprecated in v6. Here is an excerpt from SerializationUtils javadocs:The default serializer should be updated to produce/consume Base64 content.
Related resources:
The text was updated successfully, but these errors were encountered: