CVE-2026-42779 - Apache MINA resolveClass deserialization RCE

rg -n "org\\.apache\\.mina|mina-core|IoBuffer\\.getObject|ObjectSerializationCodecFactory|ObjectSerializationDecoder|acceptMatchers|ProtocolCodecFilter" .
mvn -q dependency:tree -Dincludes=org.apache.mina:mina-core
gradle -q dependencyInsight --dependency mina-core --configuration runtimeClasspath
find . -name "*.jar" -maxdepth 8 | xargs -r -n1 sh -c 'jar tf "$0" 2>/dev/null | grep -q "org/apache/mina/core/buffer/AbstractIoBuffer.class" && echo "$0"'

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-42779 (Apache MINA
`AbstractIoBuffer.resolveClass()` deserialization allowlist bypass leading to
RCE). Produce exactly one output:

- A reviewer-ready PR/change request that upgrades Apache MINA, verifies
  affected object-deserialization exposure, and documents operator containment,
  or
- TRIAGE.md if this repository does not own an affected MINA runtime or cannot
  make a safe patch.

## Rules

- Scope only CVE-2026-42779.
- Do not run public exploits, gadget-chain payloads, ysoserial payloads, or
  exploit-like serialized objects against production or shared environments.
- Do not print, commit, or attach serialized payloads, credentials, session
  material, customer data, or captured network traffic.
- Do not hand-edit vendored Apache MINA source unless no package upgrade path
  exists and the change is explicitly marked as temporary containment.
- Do not replace Java deserialization with a new ad hoc parser without tests
  and reviewer-visible behavior notes.
- Do not auto-merge.

## Steps

1. Inventory all Apache MINA usage controlled by this repository:
   Maven/Gradle/SBT/Bazel manifests, lockfiles, dependency constraints,
   vendored jars, shaded/fat jars, SBOMs, Dockerfiles, base images, Helm charts,
   deployment manifests, generated dependency reports, and runtime start
   scripts.
2. Determine every resolved `org.apache.mina:mina-core` version. A target is
   vulnerable if it resolves to:
   - `>=2.1.0, <=2.1.11`;
   - `>=2.2.0, <=2.2.6`.
3. If the repository only contains clients, docs, or deployment pointers and
   does not own the affected runtime, stop with `TRIAGE.md` naming the owner,
   evidence checked, vulnerable version evidence if present, and required
   rollout actions.
4. Search for object deserialization exposure:
   - `IoBuffer.getObject()`;
   - `ObjectSerializationCodecFactory`;
   - `ObjectSerializationDecoder`;
   - `ProtocolCodecFilter` configurations that decode Java objects;
   - custom wrappers around MINA object serialization;
   - protocol listeners reachable from users, partners, plugins, agents, or
     other semi-trusted clients.
5. Upgrade vulnerable runtimes on their existing release line:
   - `2.1.x` to `2.1.12+`;
   - `2.2.x` to `2.2.7+`.
   Regenerate dependency locks, build metadata, shaded jars, SBOMs, image
   digests, and rendered deployment artifacts used by this repository.
6. If a dependency constraint or transitive dependency keeps MINA vulnerable,
   update the owning direct dependency, add a scoped dependency override, or
   document the owning upstream blocker in `TRIAGE.md`.
7. If this codebase exposes MINA object deserialization to untrusted clients,
   add the safest small hardening change available in scope:
   - disable the object-serialization codec for external endpoints;
   - require trusted network/authentication boundaries before that codec is
     reachable;
   - add or tighten runtime serialization filters as defense in depth;
   - add a runbook for replacing Java object serialization with a typed wire
     format in a follow-up change.
8. Add or update tests/checks that are safe for a default branch:
   - dependency-resolution test or build assertion proving `mina-core` is
     fixed;
   - regression or configuration test proving external endpoints do not enable
     MINA object deserialization unintentionally;
   - smoke test for the legitimate MINA protocol behavior after the upgrade.
   Do not include exploit payloads or gadget chains.
9. Add a PR body section named `CVE-2026-42779 operator actions` that states:
   - every resolved MINA version before and after the change;
   - whether `IoBuffer.getObject()` or object serialization codecs are present;
   - which endpoints, if any, were reachable by untrusted clients;
   - what temporary network or feature containment is required before rollout;
   - whether suspicious protocol traffic or unexpected deserialization errors
     should be reviewed in logs;
   - what follow-up is needed to remove Java object serialization from the wire
     protocol if it remains.
10. Run the relevant validation: package-manager resolution, unit/integration
    tests, dependency/security scan, SBOM generation, image build, deployment
    rendering, and service smoke tests available in this repository.
11. Use PR title:
    `fix(sec): remediate CVE-2026-42779 in Apache MINA`.

## Stop conditions

- No affected Apache MINA runtime is controlled by this repository.
- The resolved MINA version is already outside the CVE-2026-42779 affected
  ranges and no vulnerable shaded or vendored copy is present.
- A fixed MINA release cannot be consumed without a larger protocol or platform
  migration.
- Verifying exposure would require running exploit payloads, gadget chains, or
  unsafe serialized objects.
- The only apparent fix would silently change a public wire protocol without
  compatibility tests or operator approval.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.