Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Another two gadgets to exploit default typing issue in jackson-databind (CVE-2018-5968) #1899

Closed
OneSourceCat opened this issue Jan 18, 2018 · 20 comments
Labels
CVE Issues related to public CVEs (security vuln reports)
Milestone

Comments

@OneSourceCat
Copy link

OneSourceCat commented Jan 18, 2018

Another 2 gadget types reported against Hibernate, iBatis.

See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.

Mitre id: CVE-2018-5968

Fixed in:

  • 2.9.4 and later
  • 2.8.11.1
  • 2.7.9.2
  • 2.6.7.3
@cowtowncoder
Copy link
Member

I am not sure I saw that email. Which address was it from (or what was the title)?

@OneSourceCat
Copy link
Author

The title is [Critical] Jackson Deserialization RCE via a new Gadget.
There are two emails about two different gadget.

@cowtowncoder
Copy link
Member

Ok somehow I do not see this via that email address (with that title or any other combination).
Would it be possible re-send it?

@codelion
Copy link

@OneSourceCat Should the latest published version of jackson-databind be considered vulnerable, until the issue is resolved?

@cowtowncoder
Copy link
Member

@codelion before assuming anything, make sure to also read:

https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

to know under what special conditions vulnerabilities exist. For most Jackson users these are not applicable.

@OneSourceCat
Copy link
Author

@cowtowncoder I've already resent the report. My email address is chongrui123[at]gmail.com.

@cowtowncoder
Copy link
Member

@OneSourceCat Ah. Gmail decided to put them in SPAM for some weird reason. :-o

@OneSourceCat OneSourceCat changed the title Another two gadgets to exploit default typing issue in jackson Another two gadgets to exploit default typing issue in jackson-databind Jan 22, 2018
cowtowncoder added a commit that referenced this issue Jan 22, 2018
@OneSourceCat OneSourceCat changed the title Another two gadgets to exploit default typing issue in jackson-databind Another two gadgets to exploit default typing issue in jackson-databind (CVE-2018-5968) Jan 22, 2018
@cplvic
Copy link

cplvic commented Feb 2, 2018

will this fix be added to the 2.8 branch

@cowtowncoder cowtowncoder added this to the 2.9.4 milestone Feb 2, 2018
@cowtowncoder
Copy link
Member

Yes, it is in 2.8 branch. Fix will be in 2.8.11.1 if such is released at some point; no full releases are planned for 2.8 at this point.
Fix was included in 2.9.4 release.

@cplvic
Copy link

cplvic commented Feb 3, 2018

thanks!

@cowtowncoder
Copy link
Member

Micro-patch 2.8.11.1 was just released, and this fix is in it, along with #1872 and #1931.

@arunnc
Copy link

arunnc commented Feb 14, 2018

OWASP dependency check is still reporting this as vulnerable after updating to 2.8.11.1

@codelion
Copy link

@arunnc that’s a problem with OWASP dependency check, you can report it to them.

@arunnc
Copy link

arunnc commented Feb 15, 2018 via email

@codelion
Copy link

@arunnc In general, we cannot rely on NVD for the accuracy of vulnerable and fix versions. Shameless plug but you can try using https://www.sourceclear.com/ instead.

@hinnerup
Copy link

hinnerup commented Mar 7, 2018

@codelion At https://www.sourceclear.com/vulnerability-database/security/remote-code-execution-rce-/java/sid-5732/summary CVE-2018-5968 is referenced as fixed in 2.7.9.3.

However, I find it difficult to read that from the commit/code comments related to 2.7.9.3.

Could you elaborate on how you've come to the conclusion that 2.7.9.3 is safe (and includes a fix for CVE-2018-5968) ?

@cowtowncoder cowtowncoder added the CVE Issues related to public CVEs (security vuln reports) label Apr 26, 2020
@ScrapCodes
Copy link

GHSA-w3f4-3q6j-rh82 seems to indicate the version 2.6.7.3 is affected, is it that the advisories data is out of date. What are the steps to update it?

@cowtowncoder
Copy link
Member

@ScrapCodes I don't know how github advisories work, what data source they use. If anyone is interested, can point maintainers to https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.6.7.x which points that 2.6.7.3 contains the fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
CVE Issues related to public CVEs (security vuln reports)
Projects
None yet
Development

No branches or pull requests

8 participants