Jackson-databind: Block more serialization gadgets (dbcp/tomcat, spring / CVE-2017-17485)

I think this covers to-be-released CVE-2017-17485.

Hello,
Could you provide a list of affected version? In the CVE declaration https://nvd.nist.gov/vuln/detail/CVE-2017-17485, the "Vulnerable software and versions" part is omitted so it's not clear (I don't know if it's normal?). All versions before 2.8.10 and/or before 2.9.1?
Thanks a lot!

The NIST page now lists "through 2.9.3" which is the latest version in Maven.

Fix is in 2.8.11 (already out) and will be in 2.9.4 due to be released soon, during January (blocked by unrelated changes we want to get in).

@bekwam One complication here is that we keep 2 or 3 open branches, typically, so ordering is not linear across patches from different minor version branches. Hence 2.8.11 has some later fixes than 2.9.3.

Apparently this is related to CVE-2017-17485, will resolve it.

Does 2.7.9.2 also fix this issue? If so https://nvd.nist.gov/vuln/detail/CVE-2017-17485 still flags that version as affected.

@yousifS I don't know. Probably not -- time to get out of 2.7 branch as it is not open any more.

@yousifS Actually looking at this again... fix is indeed included in 2.7.9.2, which was released 20-Dec-2017. This as per release notes.

@cowtowncoder I thought so, but did not want to assume. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17485, is still incorrect then. Thanks again for looking into it.

@yousifS FWIW, there is also now 2.7.9.3. Released because of one NPE related to blacklist checking, included in 2.7.9.2.

For further info: https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

Hi @cowtowncoder, is the reported vulnerability CVE-2017-17485 fixed in version 2.9.5 / 2.9.6 ?

@bobby-lin Yes, as per earlier comments: it was included in 2.9.4.