Question about `Kryo.registrationRequired` being enabled by default · Issue #929 · EsotericSoftware/kryo · GitHub
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Question about Kryo.registrationRequired being enabled by default #929

Closed
JLLeitschuh opened this issue Dec 14, 2022 · 3 comments
Closed
Labels

Comments

@JLLeitschuh
Copy link

I'm a security researcher doing some historical digging and trying to figure out when Kryo.registrationRequired was set as true by default. Do you know if a CVE was ever issued when this became the default behaviour? I'm wondering because it would be good to encourage end users to upgrade beyond this version. The best way to do this can be by issuing a CVE number.

@theigl
Copy link
Collaborator

theigl commented Dec 14, 2022

See #398. The change is present in all released versions of 5.x.

There was no CVE issued because this was simply deemed a sensible change to a default value.

@JLLeitschuh
Copy link
Author

Much appreciated. As this is a serious security improvement, do you mind if I work with a CNA to issue a CVE number for all versions of Kryo prior to 5.0.0 to make sure your end users are aware of this important security improvement and that they should update?

@theigl
Copy link
Collaborator

theigl commented Dec 14, 2022

There is no need to upgrade if you are on an older version of Kryo. Users can simply set setRegistrationRequired(true) on older versions. And a lot of users will already have set it, because registering classes upfront is faster.

Since Kryo is not backwards-compatible between major versions, upgrading Kryo to 5.x can be a lot of work if you have persistent data. Existing data has to be read with the older version and written with the newer version. It doesn't make sense to force/urge users to go through this, just because of a change to a default value that they can already set themselves in their current version.

@theigl theigl closed this as completed Dec 28, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

2 participants