Jackson-databind: Block two more gadgets to exploit default typing issue (c3p0, CVE-2018-7489)

Fixed in 2.8.11.1 (newly released) and 2.9.5 (when it is released)

Hi there!
How comes that there is no atifact in http://repo1.maven.org/maven2/com/fasterxml/jackson/jackson-bom/ that is matching release 2.8.11.1?

This is preventing me from upgrading to 2.8.11.1 because that artifact would be required by Spring boots dependency management.

Thanks in advance!

@philippn Because beyond 2.8.11.1 there is no full release, and it is not really practical to create one-off bom sets: there may or may not be micro-patches for various components.

What you need to do is to either use 2.8.11 bom and overrides (re-define one of version properties) or add explicit direct dependency. Alternatively you could probably build a separate bom of your own, one that extends jackson-bom-2.8.11.

Thanks for the clarification!

@philippn np. And apologies for the mess. I understand it is not ideal, and I am hoping we can figure out a more maintainable system for CVE updates.

For further info: https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

Vuln reported as: https://access.redhat.com/security/cve/cve-2018-7489

Hi! Any estimates for a 2.9.5 release? Thanks!

Hi FasterXML Team ,
As new vulnerability CVE-2018-7489 is reported and we are using jackson-databind 2.9.4 version which is now vulnerable. Please confirm us when we can get full new release like 2.9.5 or patch fix in v2.9.4.1 which will help to get rid of this vulnerability.

-thanks
Dharmendra

Is this defect applicable for org.codehaus.jackson libraries too?

@kiranmn Yes. With caveats from

https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

meaning it affects "default typing" usage, and only that.

Hi @cowtowncoder,

my product comes with jackson-databind 2.7.9.2. I now want to fix CVE-2018-5968 and CVE-2018-7489. My first try was to update it to 2.9.5. Unfortunately a lot of my test cases failed because of a java compatibility issue.

jackson-databind 2.7.9.2 requires at least java 6.
jackson-databind 2.9.5 requires at least java 7.

My product still supports java 6. Will there be a fix for jackson 2.7.9?

Regards,
Max

@MaximilianTews 2.9 should still run on Java 6 as features are accessed dynamically, but I must admit I have not been able to verify that.
Same should be true of 2.8, and 2.8.11.1 has to fix as well.

Due to limited resources we do not support older versions in general, but since these are security fixes I have accepted PRs for backports, and released micro-patches. So if you really want these, do you think you could create a PR? Probably easiest to have a look at fixes from 2.8.

Hi @cowtowncoder,

I had a look at the history of 2.7 and it seems that the fix for CVE-2018-7489 (#1931) is already included in 2.7.9.3.

I will create a PR for CVE-2018-5968 (#1899) for 2.7.

Regards,
Max

@MaximilianTews thank you for checking this: I updated description wrt information -- you are right about inclusion in 2.7.9.3.