There isn't any setting to control setRegistrationRequired().
You can however turn Kryo off via ExecutionConfig#disableGenericTypes,
although this may require changes to your data types.
I'd recommend to file a ticket.
On 04/02/2022 20:12, Shane Bishop wrote:
Hi all,
TL;DR: I am concerned that kryo.setRegistrationRequired(false) in
Apache Flink might introduce serialization/deserialization
vulnerabilities, and I want to better understand the security
implications of its use in Flink.
There is an issue on the Kryo GitHub repo (link
<https://github.com/EsotericSoftware/kryo/issues/398>) regarding type
registration. The "fix" the Kryo developers made was to
make setRegistrationRequired(true) the default (comment on GitHub
issue
<https://github.com/EsotericSoftware/kryo/issues/398#issuecomment-371153541>,commit
with this fix
<https://github.com/EsotericSoftware/kryo/commit/fc7f0cc7037ff1384b4cdac5b7ada287c64f0a00> and
theline in the commit that is the fix
<https://github.com/EsotericSoftware/kryo/commit/fc7f0cc7037ff1384b4cdac5b7ada287c64f0a00#diff-6d4638ca49aa0d0d9171ff04a0faa22e241f8320fda4a8a12c95853188d055a0R130>).
This is not a true fix, as the default can still be overridden. This
only sets a safe default.
In Flink, the default of true is overridden in the 1.14.3 Flink
release (seeKryoSerializer.java
<https://github.com/apache/flink/blob/release-1.14.3/flink-core/src/main/java/org/apache/flink/api/java/typeutils/runtime/kryo/KryoSerializer.java#L492>and
FlinkScalaKryoInstantiator.scala
<https://github.com/apache/flink/blob/release-1.14.3/flink-scala/src/main/scala/org/apache/flink/runtime/types/FlinkScalaKryoInstantiator.scala#L46>).
I am no Flink contributor, so I might be missing safety mechanisms
that are in place to prevent the Kryo serialization/deserialization
vulnerability even when registration required is set to false. Are
there any such safety mechanisms in place?
Is there anything I can do as a user of Flink to protect myself
against this Kryo vulnerability?
Best regards,
Shane Bishop
