Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Block more classes from polymorphic deserialization (CVE-2018-19360, CVE-2018-19361, CVE-2018-19362) #2186

Closed
cowtowncoder opened this issue Nov 18, 2018 · 8 comments
Closed

Block more classes from polymorphic deserialization (CVE-2018-19360, CVE-2018-19361, CVE-2018-19362) #2186

cowtowncoder opened this issue Nov 18, 2018 · 8 comments
Labels
CVE Issues related to public CVEs (security vuln reports)
Milestone
2.9.8

Comments

@cowtowncoder
Copy link
Member

cowtowncoder commented Nov 18, 2018
edited

This issue covers following CVEs related to polymorphic deserialization, gadgets:

CVE-2018-19360 (axis2-transport-jms)
CVE-2018-19361 (openjpa)
CVE-2018-19362 (jboss-common-core)

See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.

Original vulnerability discoverer:
吴桂雄 Wuguixiong

Fixed in:

  • 2.9.8 and later
  • 2.8.11.3
  • 2.7.9.5
  • 2.6.7.3
@cowtowncoder cowtowncoder changed the title Block more classes from polymorphic deserialization (placeholder) Block more classes from polymorphic deserialization (CVE-2018-19360, CVE-2018-19361, CVE-2018-19362) Nov 20, 2018
@cowtowncoder cowtowncoder added this to the 2.9.8 milestone Nov 20, 2018
@cowtowncoder cowtowncoder added CVE Issues related to public CVEs (security vuln reports) and removed ACTIVE labels Nov 23, 2018
cowtowncoder added a commit that referenced this issue Nov 23, 2018
@cowtowncoder
Backport #2186 to 2.7.9[.5]
42912ca
@cowtowncoder
Copy link
Member Author

Fix released on 23-Nov-2018, in:

  • 2.7.9.5 (micro-patch of jackson-databind)
  • 2.8.11.3 (micro-patch of jackson-databind, plus jackson-bom version 2.8.11.20181123)

and will be included in 2.9.8 as soon as that gets released (full release along with other fixes)

@bbossola
Copy link

Will this fix be included in 2.6.7.3, like #2097 was for 2.6.7.2?

@cowtowncoder
Copy link
Member Author

@bbossola I don't think I will release any more 2.6.7.x micro-patches at this point, so no.

@sudhi-git
Copy link

Has the 2.9.8 version been released with the fixes?

@cowtowncoder
Copy link
Member Author

Not yet. Should be released within next week or two, definitely before end of 2018.

@cowtowncoder
Copy link
Member Author

@sudhi-git 2.9.8 released today, as per:

https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8

@tomheisner tomheisner mentioned this issue Dec 18, 2018
Closed
@jansupol jansupol mentioned this issue Jan 4, 2019
Closed
@ehennum ehennum mentioned this issue Jan 5, 2019
Closed
@TheSnoozer TheSnoozer mentioned this issue Jan 5, 2019
Closed
9 tasks
TheSnoozer pushed a commit to TheSnoozer/git-commit-id-maven-plugin that referenced this issue Jan 5, 2019
update jackson-databind to v2.9.8 in response to FasterXML/jackson-da…
bf4cece 
…tabind#2186 (CVE-2018-19360, CVE-2018-19361, CVE-2018-19362)
TheSnoozer pushed a commit to git-commit-id/git-commit-id-maven-plugin that referenced this issue Jan 5, 2019
update jackson-databind to v2.9.8 in response to FasterXML/jackson-da…
5178a23 
…tabind/issues/2186 (CVE-2018-19360, CVE-2018-19361, CVE-2018-19362)
@planetf1 planetf1 mentioned this issue Jan 7, 2019
Merged
holograph added a commit to holograph/zjsonpatch that referenced this issue Jan 14, 2019
@holograph
Security upgrade (see FasterXML/jackson-databind#2186)
12dd3c7
vishwakarma pushed a commit to flipkart-incubator/zjsonpatch that referenced this issue Jan 14, 2019
@holograph @vishwakarma
Security upgrade (see FasterXML/jackson-databind#2186) (#87)
2cafdcf
dwaynebailey pushed a commit to hmcts/ccd-data-store-api that referenced this issue Jan 25, 2019
Bump springboot from 1.15.14 to 1.15.19
f118ec8 
This indirectly upgrades jackson-databind to 2.8.11.3 which resolves the
selected version for a number of dependencies.

Although reporting an error this release fixes:
CVE-2018-14718: RCE with slf4j-ext jar
CVE-2018-14719: RCE with blaze-ds-opt, -core jars
CVE-2018-14720: exfiltration/XXE with only JDK classes (some JDK
versions)
CVE-2018-14721: exfiltration/SSRF with axis2-jaxws
Ref FasterXML/jackson-databind#2097

CVE-2018-19360 (axis2-transport-jms)
CVE-2018-19361 (openjpa)
CVE-2018-19362 (jboss-common-core)
Ref FasterXML/jackson-databind#2186

See
FasterXML/jackson-databind#2097 (comment)
https://github.com/FasterXML/jackson-databind/blob/2.8/release-notes/VERSION#L8-L15

RDM-3796
dwaynebailey pushed a commit to hmcts/ccd-definition-store-api that referenced this issue Jan 25, 2019
Bump springboot from 1.15.14 to 1.15.19
9608a9c 
This indirectly upgrades jackson-databind to 2.8.11.3 which resolves the
selected version for a number of dependencies.

Although reporting an error this release fixes:
CVE-2018-14718: RCE with slf4j-ext jar
CVE-2018-14719: RCE with blaze-ds-opt, -core jars
CVE-2018-14720: exfiltration/XXE with only JDK classes (some JDK
versions)
CVE-2018-14721: exfiltration/SSRF with axis2-jaxws
Ref FasterXML/jackson-databind#2097

CVE-2018-19360 (axis2-transport-jms)
CVE-2018-19361 (openjpa)
CVE-2018-19362 (jboss-common-core)
Ref FasterXML/jackson-databind#2186

See
FasterXML/jackson-databind#2097 (comment)
https://github.com/FasterXML/jackson-databind/blob/2.8/release-notes/VERSION#L8-L15

RDM-3796
dwaynebailey pushed a commit to hmcts/ccd-definition-store-api that referenced this issue Jan 25, 2019
Bump springboot from 1.15.14 to 1.15.19
5e59836 
This indirectly upgrades jackson-databind to 2.8.11.3 which resolves the
selected version for a number of dependencies.

Although reporting an error this release fixes:
CVE-2018-14718: RCE with slf4j-ext jar
CVE-2018-14719: RCE with blaze-ds-opt, -core jars
CVE-2018-14720: exfiltration/XXE with only JDK classes (some JDK
versions)
CVE-2018-14721: exfiltration/SSRF with axis2-jaxws
Ref FasterXML/jackson-databind#2097

CVE-2018-19360 (axis2-transport-jms)
CVE-2018-19361 (openjpa)
CVE-2018-19362 (jboss-common-core)
Ref FasterXML/jackson-databind#2186

See
FasterXML/jackson-databind#2097 (comment)
https://github.com/FasterXML/jackson-databind/blob/2.8/release-notes/VERSION#L8-L15

RDM-3796
dwaynebailey pushed a commit to hmcts/ccd-data-store-api that referenced this issue Jan 29, 2019
Bump springboot from 1.15.14 to 1.15.19
e307cdd 
This indirectly upgrades jackson-databind to 2.8.11.3 which resolves the
selected version for a number of dependencies.

Although reporting an error this release fixes:
CVE-2018-14718: RCE with slf4j-ext jar
CVE-2018-14719: RCE with blaze-ds-opt, -core jars
CVE-2018-14720: exfiltration/XXE with only JDK classes (some JDK
versions)
CVE-2018-14721: exfiltration/SSRF with axis2-jaxws
Ref FasterXML/jackson-databind#2097

CVE-2018-19360 (axis2-transport-jms)
CVE-2018-19361 (openjpa)
CVE-2018-19362 (jboss-common-core)
Ref FasterXML/jackson-databind#2186

See
FasterXML/jackson-databind#2097 (comment)
https://github.com/FasterXML/jackson-databind/blob/2.8/release-notes/VERSION#L8-L15

RDM-3796
dwaynebailey pushed a commit to hmcts/ccd-data-store-api that referenced this issue Jan 31, 2019
Bump springboot from 1.15.14 to 1.15.19
913f97f 
This indirectly upgrades jackson-databind to 2.8.11.3 which resolves the
selected version for a number of dependencies.

Although reporting an error this release fixes:
CVE-2018-14718: RCE with slf4j-ext jar
CVE-2018-14719: RCE with blaze-ds-opt, -core jars
CVE-2018-14720: exfiltration/XXE with only JDK classes (some JDK
versions)
CVE-2018-14721: exfiltration/SSRF with axis2-jaxws
Ref FasterXML/jackson-databind#2097

CVE-2018-19360 (axis2-transport-jms)
CVE-2018-19361 (openjpa)
CVE-2018-19362 (jboss-common-core)
Ref FasterXML/jackson-databind#2186

See
FasterXML/jackson-databind#2097 (comment)
https://github.com/FasterXML/jackson-databind/blob/2.8/release-notes/VERSION#L8-L15

RDM-3796
vishwakarma pushed a commit to flipkart-incubator/zjsonpatch that referenced this issue Feb 10, 2019
@holograph @vishwakarma
Add EMIT_TEST_OPERATIONS diff flag (supports #91) (#92)
fe7cc58 
* Security upgrade (see FasterXML/jackson-databind#2186)

* Minor cleanup

* Further cleanup

* Added DiffFlags.EMIT_TEST_OPERATIONS, along with associated tests and functionality

* Further (minor) cleanup

* Corrected @SInCE version on EMIT_COPY_OPERATIONS
@zhaojintaozhao zhaojintaozhao mentioned this issue Dec 30, 2020
Open
This was referenced Feb 22, 2022
Open
Open
Merged
This was referenced Mar 20, 2022
Open
Open
This was referenced May 10, 2022
Open
Open
Open
Open
Open
Open
This was referenced Aug 1, 2022
Open
Open
Open
This was referenced Sep 20, 2022
Open
Open
Open
This was referenced Dec 25, 2022
Open
Open
Open
This was referenced Feb 15, 2023
Open
Open
Open
Open
Open
This was referenced May 25, 2023
Open
Open
This was referenced May 25, 2023
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CVE Issues related to public CVEs (security vuln reports)
Projects
None yet
Milestone
2.9.8
Development

No branches or pull requests
4 participants
@cowtowncoder @bbossola @ScrapCodes @sudhi-git