Security Tracking Issue
Do not make this issue public.
This bug is subject to the Security Errata Policy.
The overall impact of the blocking security issue(s) is Important. Based on this impact, this bug must be resolved by 02-May-2018.
Please refer to the Security Errata Policy documentation for further details: https://docs.prodsec.redhat.com/policy-guide/#policy-errata
CVE-2018-1295 ignite: Possible Execution of Arbitrary Code Within Deserialization Endpoints
Apache Ignite serialization mechanism does not have a list of classes
allowed for serialization/deserialization, which makes it possible to run
arbitrary code when 3-rd party vulnerable classes are present in Ignite
classpath. The vulnerability can be exploited if the one sends a specially
prepared form of a serialized object to one of the deserialization
endpoints of some Ignite components - discovery SPI, Ignite persistence,
Memcached endpoint, socket steamer.