After upgrade to spring batch 4.2.4 the application fails to getJobExecution

[oferfg4a]

As part of cve-2020-5411 that found for spring batch 4.0.3 we need to upgrade spring batch to 4.2.4. our environment contains Spring boot 2.0.9 with springframework 5.0.13 and now upgraded spring-batch to 4.2.4 (java version 1.8.0_202).

I have created new environment based on this setup that create workflow. In some point the code is trying to "getJobExecution" and fails with the following error:

java.lang.IllegalArgumentException: The class with com.emc.cloud_dr.cdr.commons.common_models.restore_service.VmFilesDescriptor and name of com.emc.cloud_dr.cdr.commons.common_models.restore_service.VmFilesDescriptor is not trusted. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or a custom ObjectMapper. If the serialization is only done by a trusted source, you can also enable default typing. at org.springframework.batch.core.repository.dao.Jackson2ExecutionContextStringSerializer$TrustedTypeIdResolver.typeFromId(Jackson2ExecutionContextStringSerializer.java:329) at com.fasterxml.jackson.databind.jsontype.impl.TypeDeserializerBase._findDeserializer(TypeDeserializerBase.java:156) at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer._deserializeTypedForId(AsPropertyTypeDeserializer.java:113) at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer.deserializeTypedFromObject(AsPropertyTypeDeserializer.java:97) at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer.deserializeTypedFromAny(AsPropertyTypeDeserializer.java:193) at com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer$Vanilla.deserializeWithType(UntypedObjectDeserializer.java:712) at com.fasterxml.jackson.databind.deser.std.MapDeserializer._readAndBindStringKeyMap(MapDeserializer.java:529) ... 127 common frames omitted Wrapped by: com.fasterxml.jackson.databind.JsonMappingException: The class with com.emc.cloud_dr.cdr.commons.common_models.restore_service.VmFilesDescriptor and name of com.emc.cloud_dr.cdr.commons.common_models.restore_service.VmFilesDescriptor is not trusted. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or a custom ObjectMapper. If the serialization is only done by a trusted source, you can also enable default typing. (through reference chain: java.util.HashMap["vmFilesDescriptor"]) at com.fasterxml.jackson.databind.JsonMappingException.wrapWithPath(JsonMappingException.java:397) at com.fasterxml.jackson.databind.JsonMappingException.wrapWithPath(JsonMappingException.java:356) at com.fasterxml.jackson.databind.deser.std.ContainerDeserializerBase.wrapAndThrow(ContainerDeserializerBase.java:181) at com.fasterxml.jackson.databind.deser.std.MapDeserializer._readAndBindStringKeyMap(MapDeserializer.java:539) at com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserialize(MapDeserializer.java:364) at com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserialize(MapDeserializer.java:29) at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer._deserializeTypedForId(AsPropertyTypeDeserializer.java:130) at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer.deserializeTypedFromObject(AsPropertyTypeDeserializer.java:97) at com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserializeWithType(MapDeserializer.java:400) at com.fasterxml.jackson.databind.deser.impl.TypeWrappedDeserializer.deserialize(TypeWrappedDeserializer.java:68) at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4218) at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3259) at org.springframework.batch.core.repository.dao.Jackson2ExecutionContextStringSerializer.deserialize(Jackson2ExecutionContextStringSerializer.java:123) at org.springframework.batch.core.repository.dao.Jackson2ExecutionContextStringSerializer.deserialize(Jackson2ExecutionContextStringSerializer.java:102) at org.springframework.batch.core.repository.dao.JdbcExecutionContextDao$ExecutionContextRowMapper.mapRow(JdbcExecutionContextDao.java:325) ... 116 common frames omitted Wrapped by: java.lang.IllegalArgumentException: Unable to deserialize the execution context at org.springframework.batch.core.repository.dao.JdbcExecutionContextDao$ExecutionContextRowMapper.mapRow(JdbcExecutionContextDao.java:328) at org.springframework.batch.core.repository.dao.JdbcExecutionContextDao$ExecutionContextRowMapper.mapRow(JdbcExecutionContextDao.java:312) at org.springframework.jdbc.core.RowMapperResultSetExtractor.extractData(RowMapperResultSetExtractor.java:93) at org.springframework.jdbc.core.RowMapperResultSetExtractor.extractData(RowMapperResultSetExtractor.java:60) at org.springframework.jdbc.core.JdbcTemplate$1.doInPreparedStatement(JdbcTemplate.java:666) at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:604) at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:656) at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:687) at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:699) at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:755) at org.springframework.batch.core.repository.dao.JdbcExecutionContextDao.getExecutionContext(JdbcExecutionContextDao.java:114) at org.springframework.batch.core.explore.support.SimpleJobExplorer.getJobExecutionDependencies(SimpleJobExplorer.java:232) at org.springframework.batch.core.explore.support.SimpleJobExplorer.getJobExecution(SimpleJobExplorer.java:141) at com.emc.cloud_dr.infra.workflow.utils.JobExecutionUtil.getJobExecutionOptional(JobExecutionUtil.java:118)

I have tried to activate default typing with PolymorphicTypeValidator but it failed to solve the issue.
I tried to downgrade to 4.2.3 but similar issue happend.

PolymorphicTypeValidator ptv = BasicPolymorphicTypeValidator .builder() .allowIfBaseType("com.emc.cloud_dr.") .allowIfBaseType("java.util.") .build(); objectMapper.activateDefaultTyping(ptv, ObjectMapper.DefaultTyping.NON_FINAL);

Bug description
create a workflow that persist several jobParameters
in some stage getJobExecution
failure occur

Environment
Please provide as many details as possible: Spring Batch version, Java version, which database you use if any, etc

spring batch 4.2.4. Spring boot 2.0.9 with springframework 5.0.13 .java version 1.8.0_202. H2 DB.

Steps to reproduce
create a workflow that persist several jobParameters
in some stage getJobExecution
failure occur

Expected behavior
get the job execution and continue as before.

[mminella]

Closing as a duplicate of #3732. This is the same issue. Also, the fix for the CVE was put in 4.2.3 so to go back to a version that does not have it, you need to downgrade to 4.2.2.

[oferfg4a]

Is 4.2.2 solves the CVE as well?

[mminella]

No. 4.2.2 is vulnerable to the CVE as noted in the report: https://tanzu.vmware.com/security/cve-2020-5411.