Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Block one more gadget type (logback, CVE-2019-12384) #2334

Closed
cowtowncoder opened this issue May 28, 2019 · 10 comments
Closed

Block one more gadget type (logback, CVE-2019-12384) #2334

cowtowncoder opened this issue May 28, 2019 · 10 comments
Labels
CVE Issues related to public CVEs (security vuln reports)
Milestone
2.9.9.1

Comments

@cowtowncoder
Copy link
Member

cowtowncoder commented May 28, 2019
edited

A new gadget type (see https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062) was reported, and CVE id allocated was CVE-2019-12384.
CVE description is available at: https://nvd.nist.gov/vuln/detail/CVE-2019-12384 for full details, but the specific variation (in addition to needing "default typing", attacker being able to craft specific json message) is that:

  • If service has jar logback-classic in its classpath

vulnerability applies.

Fixed in:

  • 2.9.10
  • 2.8.11.4
  • 2.7.9.6
  • 2.6.7.3
@cowtowncoder cowtowncoder added 2.9 CVE Issues related to public CVEs (security vuln reports) labels May 28, 2019
@hwwxj
Copy link

hwwxj commented Jun 11, 2019

Excuse me, may I ask when will this issue be solved?

@cowtowncoder
Copy link
Member Author

I hope to have to work on this (and perhaps the other CVE to file) later this week.

@cowtowncoder cowtowncoder added this to the 2.9.9.1 milestone Jun 13, 2019
@cowtowncoder
Copy link
Member Author

Fixed in 2.9 (for likely micro-patch 2.9.9.1), as well as backported in 2.8 and 2.7 (in case new versions might be released; or to make it easier for users to build from those branches).

@hwwxj
Copy link

hwwxj commented Jun 17, 2019

ok, thank you very much. By the way, when will the patch 2.9.9.1 be released? we need this urgently.

@cowtowncoder
Copy link
Member Author

I'll be going on vacation later today, back on July 1st, so at earliest in early July (but possibly mid-July, depending on if it'll be 2.9.10 or 2.9.9.1).

@cowtowncoder
Copy link
Member Author

Release 2.9.9.1 in-progress.

@mefarazath mefarazath mentioned this issue Jul 4, 2019
Merged
@jebeaudet
Copy link

@cowtowncoder Are you planning on releasing a 2.9.9.1 for the jackson-bom artifact containing this jackson-databind release? Thanks

@mibo mibo mentioned this issue Jul 5, 2019
Merged
scottfrederick pushed a commit to spring-cloud/spring-cloud-connectors that referenced this issue Jul 5, 2019
@mibo @scottfrederick
Updated jackson version to 2.9.9.1
1b9c675 
Updated jackson version to 2.9.9.1 for following CVE issues:
CVE-2019-12814: FasterXML/jackson-databind#2341
CVE-2019-12384: FasterXML/jackson-databind#2334
@cowtowncoder
Copy link
Member Author

@jebeaudet I am bit on fence on that -- if you would find it useful, please file an issue and I can create one?

@jebeaudet jebeaudet mentioned this issue Jul 7, 2019
Closed
@fazlan-nazeem fazlan-nazeem mentioned this issue Jul 8, 2019
Merged
@dimkua dimkua mentioned this issue Jul 29, 2019
Closed
based2 added a commit to based2/checker-maven-plugin that referenced this issue Aug 3, 2019
@based2
udpate jackson-databind to 2.9.9.1 CVE-2019-12814
e436077 
FasterXML/jackson-databind#2334
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
@hwwxj
Copy link

hwwxj commented Aug 5, 2019

Excuse me, may I ask when will jackson 2.9.10 be released?

@cowtowncoder
Copy link
Member Author

@hwwxj Not clear yet -- not enough bug fixes to warrant full release. But micro-patches 2.9.9.1 and 2.9.9.2 exist with the fix (plus there will be imminent 2.9.9.3 to address #2395 that was included in 2.9.9.2).

@chengbinghan chengbinghan mentioned this issue Aug 13, 2019
Closed
@cowtowncoder cowtowncoder changed the title Block one more gadget type (CVE-2019-12384) Block one more gadget type (logback, CVE-2019-12384) Sep 12, 2019
asereda-gs added a commit to immutables/immutables that referenced this issue Sep 20, 2019
@asereda-gs
Upgrade jackson databind 2.8.11.3 -> 2.8.11.4 because of security vul…
9ea18d6 
…nerabilities

FasterXML/jackson-databind#2326: Block class for CVE-2019-12086
FasterXML/jackson-databind#2334: Block class for CVE-2019-12384
FasterXML/jackson-databind#2341: Block class for CVE-2019-12814
FasterXML/jackson-databind#2387: Block class for CVE-2019-14379
FasterXML/jackson-databind#2389: Block class for CVE-2019-14439
ablekhman added a commit to atlassian/jackson-1 that referenced this issue Oct 23, 2019
@ablekhman
Block one more gadget type (logback, CVE-2019-12384)
fe45f21 
Merged from FasterXML/jackson-databind#2334
@silegon silegon mentioned this issue Jun 2, 2020
Open
Merged
4 tasks
@cowtowncoder cowtowncoder mentioned this issue Dec 26, 2020
Closed
This was referenced May 10, 2022
Open
Open
Closed
Closed
@cxronen cxronen mentioned this issue Sep 20, 2022
Open
@margaritalm margaritalm mentioned this issue Dec 25, 2022
Open
@cxronen cxronen mentioned this issue Apr 13, 2023
Open
@cxronen cxronen mentioned this issue May 25, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CVE Issues related to public CVEs (security vuln reports)
Projects
None yet
Milestone
2.9.9.1
Development

No branches or pull requests
3 participants
@cowtowncoder @jebeaudet @hwwxj