Thanks Chesnay Schepler. I filed a ticket: https://issues.apache.org/jira/browse/FLINK-25993
My team will try disabling Kyro with ExecutionConfig#disableGenericTypes and see if we need to change our data types or not. Best regards, Shane ________________________________ From: Chesnay Schepler <ches...@apache.org> Sent: February 7, 2022 3:08 AM To: Shane Bishop <shane.bis...@outlook.com>; user@flink.apache.org <user@flink.apache.org> Subject: Re: Questions about Kryo setRegistrationRequired(false) There isn't any setting to control setRegistrationRequired(). You can however turn Kryo off via ExecutionConfig#disableGenericTypes, although this may require changes to your data types. I'd recommend to file a ticket. On 04/02/2022 20:12, Shane Bishop wrote: Hi all, TL;DR: I am concerned that kryo.setRegistrationRequired(false) in Apache Flink might introduce serialization/deserialization vulnerabilities, and I want to better understand the security implications of its use in Flink. There is an issue on the Kryo GitHub repo (link<https://github.com/EsotericSoftware/kryo/issues/398>) regarding type registration. The "fix" the Kryo developers made was to make setRegistrationRequired(true) the default (comment on GitHub issue<https://github.com/EsotericSoftware/kryo/issues/398#issuecomment-371153541>, commit with this fix<https://github.com/EsotericSoftware/kryo/commit/fc7f0cc7037ff1384b4cdac5b7ada287c64f0a00> and the line in the commit that is the fix<https://github.com/EsotericSoftware/kryo/commit/fc7f0cc7037ff1384b4cdac5b7ada287c64f0a00#diff-6d4638ca49aa0d0d9171ff04a0faa22e241f8320fda4a8a12c95853188d055a0R130>). This is not a true fix, as the default can still be overridden. This only sets a safe default. In Flink, the default of true is overridden in the 1.14.3 Flink release (see KryoSerializer.java<https://github.com/apache/flink/blob/release-1.14.3/flink-core/src/main/java/org/apache/flink/api/java/typeutils/runtime/kryo/KryoSerializer.java#L492> and FlinkScalaKryoInstantiator.scala<https://github.com/apache/flink/blob/release-1.14.3/flink-scala/src/main/scala/org/apache/flink/runtime/types/FlinkScalaKryoInstantiator.scala#L46>). I am no Flink contributor, so I might be missing safety mechanisms that are in place to prevent the Kryo serialization/deserialization vulnerability even when registration required is set to false. Are there any such safety mechanisms in place? Is there anything I can do as a user of Flink to protect myself against this Kryo vulnerability? Best regards, Shane Bishop
