After upgrade to spring batch 4.2.4 the application fails to getJobExecution #3733
Labels
Comments
oferfg4a
added
status: waiting-for-triage
|
Closing as a duplicate of #3732. This is the same issue. Also, the fix for the CVE was put in 4.2.3 so to go back to a version that does not have it, you need to downgrade to 4.2.2. |
|
Is 4.2.2 solves the CVE as well? |
|
No. 4.2.2 is vulnerable to the CVE as noted in the report: https://tanzu.vmware.com/security/cve-2020-5411. |
fmbenhassine
added
status: duplicate
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As part of cve-2020-5411 that found for spring batch 4.0.3 we need to upgrade spring batch to 4.2.4. our environment contains Spring boot 2.0.9 with springframework 5.0.13 and now upgraded spring-batch to 4.2.4 (java version 1.8.0_202).
I have created new environment based on this setup that create workflow. In some point the code is trying to "getJobExecution" and fails with the following error:
java.lang.IllegalArgumentException: The class with com.emc.cloud_dr.cdr.commons.common_models.restore_service.VmFilesDescriptor and name of com.emc.cloud_dr.cdr.commons.common_models.restore_service.VmFilesDescriptor is not trusted. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or a custom ObjectMapper. If the serialization is only done by a trusted source, you can also enable default typing. at org.springframework.batch.core.repository.dao.Jackson2ExecutionContextStringSerializer$TrustedTypeIdResolver.typeFromId(Jackson2ExecutionContextStringSerializer.java:329) at com.fasterxml.jackson.databind.jsontype.impl.TypeDeserializerBase._findDeserializer(TypeDeserializerBase.java:156) at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer._deserializeTypedForId(AsPropertyTypeDeserializer.java:113) at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer.deserializeTypedFromObject(AsPropertyTypeDeserializer.java:97) at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer.deserializeTypedFromAny(AsPropertyTypeDeserializer.java:193) at com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer$Vanilla.deserializeWithType(UntypedObjectDeserializer.java:712) at com.fasterxml.jackson.databind.deser.std.MapDeserializer._readAndBindStringKeyMap(MapDeserializer.java:529) ... 127 common frames omitted Wrapped by: com.fasterxml.jackson.databind.JsonMappingException: The class with com.emc.cloud_dr.cdr.commons.common_models.restore_service.VmFilesDescriptor and name of com.emc.cloud_dr.cdr.commons.common_models.restore_service.VmFilesDescriptor is not trusted. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or a custom ObjectMapper. If the serialization is only done by a trusted source, you can also enable default typing. (through reference chain: java.util.HashMap["vmFilesDescriptor"]) at com.fasterxml.jackson.databind.JsonMappingException.wrapWithPath(JsonMappingException.java:397) at com.fasterxml.jackson.databind.JsonMappingException.wrapWithPath(JsonMappingException.java:356) at com.fasterxml.jackson.databind.deser.std.ContainerDeserializerBase.wrapAndThrow(ContainerDeserializerBase.java:181) at com.fasterxml.jackson.databind.deser.std.MapDeserializer._readAndBindStringKeyMap(MapDeserializer.java:539) at com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserialize(MapDeserializer.java:364) at com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserialize(MapDeserializer.java:29) at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer._deserializeTypedForId(AsPropertyTypeDeserializer.java:130) at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer.deserializeTypedFromObject(AsPropertyTypeDeserializer.java:97) at com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserializeWithType(MapDeserializer.java:400) at com.fasterxml.jackson.databind.deser.impl.TypeWrappedDeserializer.deserialize(TypeWrappedDeserializer.java:68) at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4218) at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3259) at org.springframework.batch.core.repository.dao.Jackson2ExecutionContextStringSerializer.deserialize(Jackson2ExecutionContextStringSerializer.java:123) at org.springframework.batch.core.repository.dao.Jackson2ExecutionContextStringSerializer.deserialize(Jackson2ExecutionContextStringSerializer.java:102) at org.springframework.batch.core.repository.dao.JdbcExecutionContextDao$ExecutionContextRowMapper.mapRow(JdbcExecutionContextDao.java:325) ... 116 common frames omitted Wrapped by: java.lang.IllegalArgumentException: Unable to deserialize the execution context at org.springframework.batch.core.repository.dao.JdbcExecutionContextDao$ExecutionContextRowMapper.mapRow(JdbcExecutionContextDao.java:328) at org.springframework.batch.core.repository.dao.JdbcExecutionContextDao$ExecutionContextRowMapper.mapRow(JdbcExecutionContextDao.java:312) at org.springframework.jdbc.core.RowMapperResultSetExtractor.extractData(RowMapperResultSetExtractor.java:93) at org.springframework.jdbc.core.RowMapperResultSetExtractor.extractData(RowMapperResultSetExtractor.java:60) at org.springframework.jdbc.core.JdbcTemplate$1.doInPreparedStatement(JdbcTemplate.java:666) at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:604) at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:656) at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:687) at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:699) at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:755) at org.springframework.batch.core.repository.dao.JdbcExecutionContextDao.getExecutionContext(JdbcExecutionContextDao.java:114) at org.springframework.batch.core.explore.support.SimpleJobExplorer.getJobExecutionDependencies(SimpleJobExplorer.java:232) at org.springframework.batch.core.explore.support.SimpleJobExplorer.getJobExecution(SimpleJobExplorer.java:141) at com.emc.cloud_dr.infra.workflow.utils.JobExecutionUtil.getJobExecutionOptional(JobExecutionUtil.java:118)I have tried to activate default typing with PolymorphicTypeValidator but it failed to solve the issue.
I tried to downgrade to 4.2.3 but similar issue happend.
PolymorphicTypeValidator ptv = BasicPolymorphicTypeValidator .builder() .allowIfBaseType("com.emc.cloud_dr.") .allowIfBaseType("java.util.") .build(); objectMapper.activateDefaultTyping(ptv, ObjectMapper.DefaultTyping.NON_FINAL);Bug description
create a workflow that persist several jobParameters
in some stage getJobExecution
failure occur
Environment
Please provide as many details as possible: Spring Batch version, Java version, which database you use if any, etc
spring batch 4.2.4. Spring boot 2.0.9 with springframework 5.0.13 .java version 1.8.0_202. H2 DB.
Steps to reproduce
create a workflow that persist several jobParameters
in some stage getJobExecution
failure occur
Expected behavior
get the job execution and continue as before.
The text was updated successfully, but these errors were encountered: