Jackson-databind: Another two gadgets to exploit default typing issue in jackson-databind (CVE-2018-5968)

I am not sure I saw that email. Which address was it from (or what was the title)?

The title is [Critical] Jackson Deserialization RCE via a new Gadget.
There are two emails about two different gadget.

Ok somehow I do not see this via that email address (with that title or any other combination).
Would it be possible re-send it?

@OneSourceCat Should the latest published version of jackson-databind be considered vulnerable, until the issue is resolved?

@codelion before assuming anything, make sure to also read:

https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

to know under what special conditions vulnerabilities exist. For most Jackson users these are not applicable.

@cowtowncoder I've already resent the report. My email address is chongrui123[at]gmail.com.

@OneSourceCat Ah. Gmail decided to put them in SPAM for some weird reason. :-o

will this fix be added to the 2.8 branch

Yes, it is in 2.8 branch. Fix will be in 2.8.11.1 if such is released at some point; no full releases are planned for 2.8 at this point.
Fix was included in 2.9.4 release.

thanks!

Micro-patch 2.8.11.1 was just released, and this fix is in it, along with #1872 and #1931.

OWASP dependency check is still reporting this as vulnerable after updating to 2.8.11.1

@arunnc that’s a problem with OWASP dependency check, you can report it to them.

Hi Asankhaya

Issue is NVD database is not updated with the micro patch 2.8.11.1 version
and fix details.

Would you know how to get this corrected?

On 14-Feb-2018 9:46 PM, "Asankhaya Sharma" notifications@github.com wrote:

@arunnc https://github.com/arunnc that’s a problem with OWASP dependency
check, you can report it to them.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/FasterXML/jackson-databind/issues/1899#issuecomment-365658459,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AVtJFfwjs3rlS40kjlDXsT4BmUc7OCveks5tUwbOgaJpZM4Rixed
.

@arunnc In general, we cannot rely on NVD for the accuracy of vulnerable and fix versions. Shameless plug but you can try using https://www.sourceclear.com/ instead.

@codelion At https://www.sourceclear.com/vulnerability-database/security/remote-code-execution-rce-/java/sid-5732/summary CVE-2018-5968 is referenced as fixed in 2.7.9.3.

However, I find it difficult to read that from the commit/code comments related to 2.7.9.3.

Could you elaborate on how you've come to the conclusion that 2.7.9.3 is safe (and includes a fix for CVE-2018-5968) ?

@newbishme can you help answer @hinnerup ’s question and verify the fix info for the artifact.

@hinnerup Apologies for the slight confusion there. Below is the snippet from the CVE description of CVE-2018-5968:

This is exploitable via two different gadgets that bypass a blacklist.

Based on the information available at the time of identifying this issue, 2.7.9.3 was yet to be published.

When the comment above on #1931 was made, the content of https://www.sourceclear.com/vulnerability-database/security/remote-code-execution-rce-/java/sid-5732/summary was updated to include 2.7.9.3.

A separate CVE was only recently assigned to #1931, and is currently awaiting analysis as of now. This has been cataloged as another vulnerability since the assignment of the CVE. Following that, the details of https://www.sourceclear.com/vulnerability-database/security/remote-code-execution-rce-/java/sid-5732/summary should have been updated to remove 2.7.9.3.

https://github.com/advisories/GHSA-w3f4-3q6j-rh82 seems to indicate the version 2.6.7.3 is affected, is it that the advisories data is out of date. What are the steps to update it?

@ScrapCodes I don't know how github advisories work, what data source they use. If anyone is interested, can point maintainers to https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.6.7.x which points that 2.6.7.3 contains the fix.