Deprecate SerializationUtils#deserialize

Since SerializationUtils#deserialize is based on Java's serialization
mechanism, it can be the source of Remote Code Execution (RCE)
vulnerabilities.

Closes gh-28075

Author: ledoyen

spring-context-support/src/main/java/org/springframework/cache/jcache/interceptor/CacheResultInterceptor.java

@@ -150,7 +150,7 @@ private static CacheOperationInvoker.ThrowableWrapper rewriteCallStack(
 	@Nullable
 	private static <T extends Throwable> T cloneException(T exception) {
 		try {
-			return (T) SerializationUtils.deserialize(SerializationUtils.serialize(exception));
+			return SerializationUtils.clone(exception);
 		}
 		catch (Exception ex) {
 			return null;  // exception parameter cannot be cloned

spring-core/src/main/java/org/springframework/util/SerializationUtils.java

@@ -21,6 +21,7 @@
 import java.io.IOException;
 import java.io.ObjectInputStream;
 import java.io.ObjectOutputStream;
+import java.io.Serializable;
 
 import org.springframework.lang.Nullable;
 
@@ -57,8 +58,13 @@ public static byte[] serialize(@Nullable Object object) {
 	 * Deserialize the byte array into an object.
 	 * @param bytes a serialized object
 	 * @return the result of deserializing the bytes
+	 * @deprecated This utility uses Java's reflection, which allows arbitrary code to be
+	 * run and is known for being the source of many Remote Code Execution vulnerabilities.
+	 * <p>Prefer the use of an external tool (that serializes to JSON, XML or any other format)
+	 * which is regularly checked and updated for not allowing RCE.
 	 */
 	@Nullable
+	@Deprecated
 	public static Object deserialize(@Nullable byte[] bytes) {
 		if (bytes == null) {
 			return null;
@@ -74,4 +80,15 @@ public static Object deserialize(@Nullable byte[] bytes) {
 		}
 	}
 
+	/**
+	 * Clone the given object using Java's serialization.
+	 * @param object the object to clone
+	 * @param <T> the type of the object to clone
+	 * @return a clone (deep-copy) of the given object
+	 * @since 6.0.0
+	 */
+	@SuppressWarnings("unchecked")
+	public static <T extends Serializable> T clone(T object) {
+		return (T) SerializationUtils.deserialize(SerializationUtils.serialize(object));
+	}
 }

spring-core/src/test/java/org/springframework/util/SerializationUtilsTests.java

@@ -67,4 +67,9 @@ void deserializeNull() throws Exception {
 		assertThat(SerializationUtils.deserialize(null)).isNull();
 	}
 
+	@Test
+	void cloneException() {
+		IllegalArgumentException ex = new IllegalArgumentException("foo");
+		assertThat(SerializationUtils.clone(ex)).hasMessage("foo").isNotSameAs(ex);
+	}
 }