Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Block two more gadget types (ehcache/JNDI - CVE-2019-20330) #2526

Closed
cowtowncoder opened this issue Oct 25, 2019 · 3 comments
Closed

Block two more gadget types (ehcache/JNDI - CVE-2019-20330) #2526

cowtowncoder opened this issue Oct 25, 2019 · 3 comments
Labels
CVE Issues related to public CVEs (security vuln reports)
Milestone
2.9.10.2

Comments

@cowtowncoder
Copy link
Member

cowtowncoder commented Oct 25, 2019
edited

Another 2 gadget (*) types reported related to JNDI access.
See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.

Mitre id: CVE-2019-20330
Original discoverer: UltramanGaia

Fixed in:

  • 2.9.10.2 (jackson-bom version 2.9.10.20200223)
  • 2.8.11.5 (jackson-bom version 2.8.11.20200210)
  • 2.7.9.7
  • does not affect 2.10.0 and later
@cowtowncoder cowtowncoder added ACTIVE CVE Issues related to public CVEs (security vuln reports) labels Oct 25, 2019
@cowtowncoder cowtowncoder mentioned this issue Oct 27, 2019
Closed
@cowtowncoder cowtowncoder changed the title Block two more gadget types (JNDI - CVEs to be allocated) Block two more gadget types (ehcache/JNDI - CVEs to be allocated) Nov 1, 2019
@cowtowncoder cowtowncoder added this to the 2.9.10.2 milestone Nov 1, 2019
julianladisch added a commit to folio-org/raml-module-builder that referenced this issue Nov 5, 2019
@julianladisch
RMB-504: Jackson-* version 2.10.0, fixes jackson-databind vulnerabili…
82699c1 
…ties.

Three serialization gadget (= polymorphic typing) security vulnerability issues have been reported against jackson-databind versions before 2.9.10.1:

jackson-databind 2.9.10.1 (released 2019-10-20) fixes
* commons-dbcp, p6spy ([CVE-2019-16942|https://nvd.nist.gov/vuln/detail/CVE-2019-16942] / [CVE-2019-16943|https://nvd.nist.gov/vuln/detail/CVE-2019-16943] = [jackson-databind #2478|FasterXML/jackson-databind#2478])
* log4j-extras/1.2 ([CVE-2019-17531|https://nvd.nist.gov/vuln/detail/CVE-2019-17531] = [jackson-databind #2498|FasterXML/jackson-databind#2498])

jackson-databind [2.9.10.2|https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9#micro-patches] (not yet released) fixes
* ehcache/JNDI (CVEs to be allocated = [jackson-databind #2526|FasterXML/jackson-databind#2526])

See also
* [On Jackson CVEs: Don't Panic — Here is what you need to know|https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062]
* [Jackson 2.10 features (esp "Safe Default Typing" to vanquish stream of CVE patches!)|https://medium.com/@cowtowncoder/jackson-2-10-features-cd880674d8a2]
@julianladisch julianladisch mentioned this issue Nov 5, 2019
Merged
@cowtowncoder cowtowncoder mentioned this issue Nov 25, 2019
Closed
@cowtowncoder
Copy link
Member Author

2.9.10.2 was released, along with jackson-bom of 2.9.10.20200103.

@cowtowncoder cowtowncoder changed the title Block two more gadget types (ehcache/JNDI - CVEs to be allocated) Block two more gadget types (ehcache/JNDI - CVE-2019-20330) Jan 9, 2020
@cowtowncoder
Copy link
Member Author

I think Mitre allocated id is: CVE-2019-20330

(but haven't seen confirmation, possibly due to email issues wrt fasterxml.org)

@rabiihlioui
Copy link

I think Mitre allocated id is: CVE-2019-20330

(but haven't seen confirmation, possibly due to email issues wrt fasterxml.org)

2.9.10.2 was released, along with jackson-bom of 2.9.10.20200103.

Jackson-databind is not getting downloaded from maven after changing the version to 2.9.10.2 in my project's pom.xml.

qxo pushed a commit to qxo/jackson-databind that referenced this issue Mar 10, 2020
@cowtowncoder @qxo
Fix FasterXML#2526
5ed982f
cowtowncoder added a commit that referenced this issue Mar 10, 2020
@cowtowncoder
Fix #2526
eb25481
martokarski pushed a commit to atlassian/jackson-1 that referenced this issue May 8, 2020
Block two more gadget types (ehcache/JNDI - CVE-2019-20330)
35211ad 
Merged from FasterXML/jackson-databind#2526
@mend-for-github-com mend-for-github-com bot mentioned this issue May 27, 2020
Open
This was referenced May 28, 2020
Closed
Open
Closed
Open
Closed
This was referenced Jun 9, 2020
Closed
Open
@mend-for-github-com mend-for-github-com bot mentioned this issue Jun 18, 2020
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Jun 20, 2020
Closed
@mend-for-github-com mend-for-github-com bot mentioned this issue Jun 22, 2020
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Jun 24, 2020
Open
@mend-for-github-com mend-for-github-com bot mentioned this issue Feb 4, 2022
Open
This was referenced Feb 27, 2022
Closed
Closed
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Mar 1, 2022
Open
@mend-for-github-com mend-for-github-com bot mentioned this issue Mar 1, 2022
Closed
This was referenced Mar 11, 2022
Closed
Closed
This was referenced Mar 12, 2022
Closed
Closed
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Mar 14, 2022
Open
This was referenced Mar 14, 2022
Closed
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Mar 22, 2022
Open
This was referenced Mar 31, 2022
Closed
Open
@westonsteimel westonsteimel mentioned this issue Apr 6, 2022
Merged
This was referenced May 10, 2022
Open
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue May 31, 2022
Closed
This was referenced May 31, 2022
Closed
Closed
Closed
@scott-cx scott-cx mentioned this issue Aug 1, 2022
Open
@cxronen cxronen mentioned this issue Sep 20, 2022
Open
@margaritalm margaritalm mentioned this issue Dec 25, 2022
Open
This was referenced Feb 15, 2023
Open
Open
This was referenced Apr 28, 2023
Open
Open
@cxronen cxronen mentioned this issue May 25, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CVE Issues related to public CVEs (security vuln reports)
Projects
None yet
Milestone
2.9.10.2
Development

No branches or pull requests
2 participants
@cowtowncoder @rabiihlioui