Dependencycheck: False positives for CVE-2016-3720 for several jackson libraries

Is the CVE limited to just jackson-dataformat-xml? Because that is what I thought at first, but then the CVE mentions cpe:/a:fasterxml:jackson:- which seems pretty broad.

Note that the issue seems limited to XML, yet I only use Jackson for JSON.

As far as I understand the original Fedora bug report only the extension jackson-dataformat-xml is affected which must be be put explicitly on the classpath.

In that case, isn't the CVE metadata incorrect? As long as it says cpe:/a:fasterxml:jackson:-, then it is going to get hits on the artifacts that you mentioned. I don't see why the metadata can not be more specific to the dataformat-xml artifact. (Whom do you complain to about CVE metadata?)

That is correct Anthony. Though I'm not sure where to file a fix for CVE metadata, and if it would be fixed at all. I guess RedHat could be the contact here as the responsible CVE Numbering Authority.

FYI, I've sent an email to RedHat security team. We'll see if I'm mistaken or if they can fix it.

I raised a ticket for jackson-dataformat-xml and they responded saying that it has already been fixed for Jackson 2.7.4.

I also sent an email to [email protected] (after reading the FAQ) and they forwarded the issue to [email protected].

After thinking about this some more I believe we could use the following suppression rules to suppress the false positive for all except the Jackson-dataformat-xml:

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
   <suppress>
      <notes><![CDATA[
      file name: jackson-core-2.6.5.jar
      ]]></notes>
      <gav regex="true">com\.fasterxml\.jackson\.core:jackson.*</gav>
      <cve>CVE-2016-3720</cve>
   </suppress>
   <suppress>
      <notes><![CDATA[
      file name: jackson-core-2.6.5.jar
      ]]></notes>
      <gav regex="true">com\.fasterxml\.jackson\.dataformat:jackson(?!\-dataformat\-xml).*</gav>
      <cve>CVE-2016-3720</cve>
   </suppress>
</suppressions>

@awhitford , did you get any update over you e-mail? I am safely assuming that the vulnerability exists even with Jackson 2.7.4.

Does anyone know the tentative timeline of the next Jackson version?

The fix for this FP has been implemented in 1.4.5-SNAPSHOT and will be included in the next release.

Jackson artifacts had different Maven coordinates earlier. I added the following suppression to handle those old artifacts with Dependency-Check 1.4.5.

   <suppress>
      <notes><![CDATA[
      https://github.com/jeremylong/DependencyCheck/issues/517
      ]]></notes>
      <gav regex="true">org\.codehaus\.jackson:jackson-.*</gav>
      <cve>CVE-2016-3720</cve>
   </suppress>

I am not aware which old artifact(s) corresponds to vulnerable com.fasterxml.jackson.dataformat:jackson-dataformat-xml (if any), so this potentially suppresses too much.

Thanks - I did a little research and updated the regex to include the alternative group.

Hi @jeremylong,
another package that is falsely reported is

ehcache-2.10.3.jar/rest-management-private-classpath/META-INF/maven/com.fasterxml.jackson.jaxrs/jackson-jaxrs-base/pom.xml (com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:2.3.3, cpe:/a:fasterxml:jackson:2.3.3) : CVE-2016-3720

I've locally updated the rule to exclude all sub-groups except dataformat:

    <suppress base="true">
        <notes><![CDATA[
            This CVE only affects jackson-dataformat-xml. See issue #517.
      ]]></notes>
        <gav regex="true">(org\.codehaus\.jackson|com\.fasterxml\.jackson\.(?!dataformat)[^:]+):jackson.*</gav>
        <cve>CVE-2016-3720</cve>
    </suppress>

Apologies for commenting on a closed ticket, but since I had to send an update request for another related Jackson XML CVE I thought update might make sense.

Jackson side issue for CVE-3720 is: https://github.com/FasterXML/jackson-dataformat-xml/issues/190 and it was indeed fixed in 2.7.4 and only affects jackson-dataformat-xml.

There is a newer but similar CVE, 7051: http://www.cvedetails.com/cve/CVE-2016-7051/ which:

• Affects jackson-dataformat-xml (only)
• Fixed in 2.7.8 (and 2.8.4)
• Jackson side issue: https://github.com/FasterXML/jackson-dataformat-xml/issues/211

It also looks like description at mitre.org is too general as well, leading to false alarms:

https://github.com/FasterXML/jackson-core/issues/371

Similar to issue here.

I suspect it might make sense to file a new issue, but thought maybe starting here would make most sense.

It still fails with v2.0.1. Should I create a new ticket?

jackson-jaxrs-base-2.8.9.jar (com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:2.8.9, cpe:/a:fasterxml:jackson:2.8.9) : CVE-2016-7051
jackson-datatype-joda-2.8.9.jar (com.fasterxml.jackson.datatype:jackson-datatype-joda:2.8.9, cpe:/a:fasterxml:jackson:2.8.9) : CVE-2016-7051

@nhenneaux see #792.

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.