Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Block one more gadget type (logback, CVE-2019-14439) #2389

Closed
cowtowncoder opened this issue Jul 24, 2019 · 8 comments
Closed

Block one more gadget type (logback, CVE-2019-14439) #2389

cowtowncoder opened this issue Jul 24, 2019 · 8 comments
Labels
CVE Issues related to public CVEs (security vuln reports)
Milestone
2.9.9.2

Comments

@cowtowncoder
Copy link
Member

cowtowncoder commented Jul 24, 2019
edited

Another gadget type report regarding logback/JNDI.

Mitre id: CVE-2019-14439
Reporter: xiexq@knownsec.com (Badcode of Knownsec 404 Team)

Fixed in:

  • 2.9.10
  • 2.8.11.4
  • 2.7.9.6
  • 2.6.7.3
@cowtowncoder cowtowncoder added ACTIVE CVE Issues related to public CVEs (security vuln reports) labels Jul 24, 2019
@jdelta-RBS
Copy link

Similar to #2341 and others? -_-

@cowtowncoder
Copy link
Member Author

@jdelta-RBS yup, same old shite.

cowtowncoder added a commit that referenced this issue Jul 26, 2019
@cowtowncoder
Backport #2387, #2389 fixes
ad418ee
@cowtowncoder cowtowncoder mentioned this issue Jul 28, 2019
Closed
@cowtowncoder cowtowncoder changed the title Placeholder for another "default typing" CVE Block one more gadget type (CVE-2019-14361) Jul 30, 2019
@cowtowncoder cowtowncoder added this to the 2.9.9.2 milestone Jul 30, 2019
cowtowncoder added a commit that referenced this issue Jul 30, 2019
@cowtowncoder
Update release notes wrt #2389
5f7d5f1
@carnil
Copy link

carnil commented Jul 30, 2019

Is this the correct CVE? According to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439 CVE-2019-14439 was assigned for this issue.

@cowtowncoder
Copy link
Member Author

cowtowncoder commented Jul 30, 2019
edited

I don't know. I guess this is downside of my not requesting CVE IDs -- looks like we now have TWO cve ids for same thing. :-/

Will the real CVE-for-logback please stand up?

@cowtowncoder cowtowncoder changed the title Block one more gadget type (CVE-2019-14361) Block one more gadget type (logback, CVE-2019-14361) Jul 30, 2019
@cowtowncoder cowtowncoder changed the title Block one more gadget type (logback, CVE-2019-14361) Block one more gadget type (logback, CVE-2019-14361 / CVE-2019-14439) Jul 30, 2019
@carnil
Copy link

carnil commented Jul 31, 2019 via email

@cowtowncoder
Copy link
Member Author

Thank you.

@mibo mibo mentioned this issue Aug 2, 2019
Merged
@nluedtke
Copy link

nluedtke commented Aug 2, 2019
edited

CVE-2019-14361 was rejected. Update the title to prevent confusion?

@cowtowncoder cowtowncoder changed the title Block one more gadget type (logback, CVE-2019-14361 / CVE-2019-14439) Block one more gadget type (logback CVE-2019-14439) Aug 2, 2019
@cowtowncoder
Copy link
Member Author

Done. Will need to try to hunt down refs in other places now.

ind1go added a commit to ind1go/cics-bundle-maven that referenced this issue Aug 3, 2019
@ind1go
Update dependency to avoid jackson-databind CVEs
5c87837 
Avoids CVE-2019-14379 FasterXML/jackson-databind#2387
Avoids CVE-2019-14439 FasterXML/jackson-databind#2389

Signed-off-by: Ben Cox <1038350+ind1go@users.noreply.github.com>
scottfrederick pushed a commit to spring-cloud/spring-cloud-connectors that referenced this issue Aug 5, 2019
@mibo @scottfrederick
Updated jackson-databind version to 2.9.9.2
94dff58 
Updated jackson-databind version to 2.9.9.2 which contains fix for:
- [CVE-2019-14379](FasterXML/jackson-databind#2387)
- [CVE-2019-14361 / CVE-2019-14439](FasterXML/jackson-databind#2389)
@laszlovandenhoek laszlovandenhoek mentioned this issue Sep 6, 2019
Merged
@cowtowncoder cowtowncoder changed the title Block one more gadget type (logback CVE-2019-14439) Block one more gadget type (logback, CVE-2019-14439) Sep 12, 2019
asereda-gs added a commit to immutables/immutables that referenced this issue Sep 20, 2019
@asereda-gs
Upgrade jackson databind 2.8.11.3 -> 2.8.11.4 because of security vul…
9ea18d6 
…nerabilities

FasterXML/jackson-databind#2326: Block class for CVE-2019-12086
FasterXML/jackson-databind#2334: Block class for CVE-2019-12384
FasterXML/jackson-databind#2341: Block class for CVE-2019-12814
FasterXML/jackson-databind#2387: Block class for CVE-2019-14379
FasterXML/jackson-databind#2389: Block class for CVE-2019-14439
ablekhman added a commit to atlassian/jackson-1 that referenced this issue Oct 23, 2019
@ablekhman
Block one more gadget type (logback, CVE-2019-14439)
5c017a5 
Merged from FasterXML/jackson-databind#2389
Merged
4 tasks
@cowtowncoder cowtowncoder mentioned this issue Dec 26, 2020
Closed
This was referenced May 10, 2022
Open
Open
@scott-cx scott-cx mentioned this issue Aug 1, 2022
Open
@cxronen cxronen mentioned this issue Sep 20, 2022
Open
@margaritalm margaritalm mentioned this issue Dec 25, 2022
Open
This was referenced Feb 15, 2023
Open
Closed
This was referenced Apr 28, 2023
Open
Open
@cxronen cxronen mentioned this issue May 25, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CVE Issues related to public CVEs (security vuln reports)
Projects
None yet
Milestone
2.9.9.2
Development

No branches or pull requests
4 participants
@cowtowncoder @carnil @nluedtke @jdelta-RBS