Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Block one more gadget type (com.nqadmin.rowset, CVE-xxxx-xxx) #2826

Closed
cowtowncoder opened this issue Aug 22, 2020 · 0 comments
Closed

Block one more gadget type (com.nqadmin.rowset, CVE-xxxx-xxx) #2826

cowtowncoder opened this issue Aug 22, 2020 · 0 comments
Labels
CVE Issues related to public CVEs (security vuln reports)
Milestone
2.9.10.6

Comments

@cowtowncoder
Copy link
Member

cowtowncoder commented Aug 22, 2020
edited

Another gadget type(s) reported regarding class(es) of com.nqadmin.rowset:jdbcrowsetimpl. library.
See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.

Mitre id: [to be allocated]
Reporter(s): ChenZhaojun (Security Team of Alibaba Cloud)

Fix is included in:
@cowtowncoder cowtowncoder added to-evaluate Issue that has been received but not yet evaluated and removed to-evaluate Issue that has been received but not yet evaluated labels Aug 22, 2020
@cowtowncoder cowtowncoder added this to the 2.9.10.6 milestone Aug 22, 2020
@cowtowncoder cowtowncoder changed the title Block one more gadget type (xxx, CVE-xxxx-xxx) Block one more gadget type (com.nqadmin.rowset, CVE-xxxx-xxx) Aug 24, 2020
@cowtowncoder cowtowncoder added the CVE Issues related to public CVEs (security vuln reports) label Aug 24, 2020
qxo added a commit to qxo/jackson-databind that referenced this issue Sep 21, 2020
@qxo
fix: merge fix from 2.9 branch FasterXML#2653 FasterXML#2658 FasterXM…
7e70e8e 
…L#2659 FasterXML#2660 FasterXML#2662 FasterXML#2664 FasterXML#2666 FasterXML#2670 FasterXML#2680 FasterXML#2682 FasterXML#2688 FasterXML#2698 FasterXML#2704 FasterXML#2765 FasterXML#2798 FasterXML#2814 FasterXML#2826 FasterXML#2827 FasterXML#2854

1. generated diff CVE diff
git diff ad5a630 -- src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java

2. cleanup the diff ,just remain the CVE change

3. apply the diff

4. check and make sure only commit the AutoType CVE change.

```
PR_LIST=$(git log1 -n 17 ad5a630 -- src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java | awk -F'[ ,]+' '{for(i=1;i<=NF;i++){a=$(i);if(match(a,/#[0-9]+/)){print a;}}}' | sort | uniq);echo "$PR_LIST" | wc -l
echo $PR_LIST
```
@qxo qxo mentioned this issue Sep 21, 2020
Merged
cowtowncoder pushed a commit that referenced this issue Sep 22, 2020
@qxo
fix: merge fix from 2.9 branch #2653 #2658 #2659 #2660 #2662 #2664 #2666
08fbfac 
 #2670 #2680 #2682 #2688 #2698 #2704 #2765 #2798 #2814 #2826 #2827 #2854 (#2858)

1. generated diff CVE diff
git diff ad5a630 -- src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java

2. cleanup the diff ,just remain the CVE change

3. apply the diff

4. check and make sure only commit the AutoType CVE change.

```
PR_LIST=$(git log1 -n 17 ad5a630 -- src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java | awk -F'[ ,]+' '{for(i=1;i<=NF;i++){a=$(i);if(match(a,/#[0-9]+/)){print a;}}}' | sort | uniq);echo "$PR_LIST" | wc -l
echo $PR_LIST
```
joschi added a commit to dropwizard/metrics that referenced this issue Nov 11, 2020
@joschi
Upgrade to Jackson 2.9.10.6
9b876b3 
https://nvd.nist.gov/vuln/detail/CVE-2020-24750
https://nvd.nist.gov/vuln/detail/CVE-2020-24616

Release notes: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9#micro-patches

>  jackson-databind 2.9.10.6 (24-Aug-2020) -- with jackson-bom version 2.9.10.20200824
>
>  * FasterXML/jackson-databind#2798: Block one more gadget type (com.pastdev.httpcomponents, CVE-2020-24750
>  * FasterXML/jackson-databind#2814: Block one more gadget type (Anteros-DBCP, CVE-2020-24616)
>  * FasterXML/jackson-databind#2826: Block one more gadget type (com.nqadmin.rowset)
>  * FasterXML/jackson-databind#2827: Block one more gadget type (org.arrahtec:profiler-core)
@joschi joschi mentioned this issue Nov 11, 2020
Merged
arteam pushed a commit to dropwizard/metrics that referenced this issue Nov 11, 2020
@joschi
Upgrade to Jackson 2.9.10.6 (#1708)
e5831a8 
https://nvd.nist.gov/vuln/detail/CVE-2020-24750
https://nvd.nist.gov/vuln/detail/CVE-2020-24616

Release notes: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9#micro-patches

>  jackson-databind 2.9.10.6 (24-Aug-2020) -- with jackson-bom version 2.9.10.20200824
>
>  * FasterXML/jackson-databind#2798: Block one more gadget type (com.pastdev.httpcomponents, CVE-2020-24750
>  * FasterXML/jackson-databind#2814: Block one more gadget type (Anteros-DBCP, CVE-2020-24616)
>  * FasterXML/jackson-databind#2826: Block one more gadget type (com.nqadmin.rowset)
>  * FasterXML/jackson-databind#2827: Block one more gadget type (org.arrahtec:profiler-core)
tkanafa-atlassian added a commit to atlassian/jackson-1 that referenced this issue Apr 20, 2021
@tkanafa-atlassian
MNSTR-5023 backport security fix from jackson2
b9fc2f5 
Merged from FasterXML/jackson-databind#2826 FasterXML/jackson-databind#2827
tkanafa-atlassian added a commit to atlassian/jackson-1 that referenced this issue Apr 20, 2021
@tkanafa-atlassian
MNSTR-5023 backport security fix from jackson2 Block one more gadget …
7cc8ecf 
…type Block one more gadget type (com.nqadmin.rowset, CVE-xxxx-xxx), Block one more gadget type Block one more gadget type (org.arrahtec:profiler-core, CVE-xxxx-xxx)

Merged from FasterXML/jackson-databind#2826 FasterXML/jackson-databind#2827
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CVE Issues related to public CVEs (security vuln reports)
Projects
None yet
Milestone
2.9.10.6
Development

No branches or pull requests
1 participant
@cowtowncoder