Jackson-databind: Jackson-databind 2.9.8 Vulnerability issue

The vulnerability issues are reported by CVE-2018-11307; CVE-2018-12022; CVE-2018-12023.
Can you fix it in next release?

Details:
[CVE-2018-11307 Vulnerability Issue CVE-2018-11307 Severity- Sonatype CVSS 3.0- 6.3 Weakness- Sonatype CWE- 502 Source- National Vulnerability Database Categories- Data Description Description from CVE jackson-databind - Information Exposure via Deserialization \nExplanation- jackson-databind is vulnerable to Information Exposure via Deserialization of Untrusted Data. The validateSubType__ function in the SubTypeValidator class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object which will result in the exfiltration of sensitive information if the application attempts to deserialize it. Note- This vulnerability exists due to the incomplete fix for CVE-2017-7525 CVE-2017-15095 CVE-2017-17485 CVE-2018-5968 and CVE-2018-7489. Detection- The application is vulnerable by using this component when default typing is enabled and passing in untrusted data to be deserialized. Note- Spring Security has provided their own fix for this vulnerability _ CVE-2017-4995 _. If this component is being used as part of Spring Security then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x. Recommendation- There is no non vulnerable version of this component. Despite there being a fix provided by Jackson it uses a black-list approach. If there is another class not black-listed which performs deserialization on the classpath then this may lead to code execution. We recommend investigating alternative components or a potential mitigating control. Workaround- Do not use the default typing. Instead you will need to implement your own. It is also possible to customize global defaulting using ObjectMapper.setDefaultTyping_…_ – you just have to implement your own TypeResolverBuilder _which is not very difficult_; and by doing so can actually configure all aspects of type information. Builder itself is just a short-cut for building actual handlers. Reference- https-//github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization Examples of implementing your own typing can be found by looking at Spring Security_s fix or this Stack Overflow article . Root Cause- org.wso2.carbon.apimgt.rest.api.admin-6.4.40.war \n * jackson-databind-2.9.5.jar \n * SubTypeValidator.class - [2.9.5 2.9.6_ org.wso2.carbon.apimgt.rest.api.admin-6.4.40.war \n * jackson-databind-2.9.5.jar \n * SubTypeValidator.class - [2.9.5 2.9.6_ org.wso2.carbon.apimgt.rest.api.admin-6.4.40.war \n * jackson-databind-2.9.5.jar \n * SubTypeValidator.class - [2.9.5 2.9.6_ org.wso2.carbon.apimgt.rest.api.admin-6.4.40.war \n * jackson-databind-2.9.5.jar \n * SubTypeValidator.class - [2.9.5 2.9.6_ \nAdvisories- Project- https-//github.com/FasterXML/jackson-databind/issues/2032 CVSS Details Sonatype CVSS 3.0- 6.3 ] ____________________ [CVE-2018-12022 Vulnerability Issue CVE-2018-12022 Severity- Sonatype CVSS 3.0- 8.5 Weakness- Sonatype CWE- 502 Source- National Vulnerability Database Categories- Data Description Description from CVE jackson-databind - Remote Code Execution (RCE) \nExplanation- jackson-databind is vulnerable to Remote Code Execution _RCE_. The validateSubType__ function in the SubTypeValidator class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it. Note- This vulnerability exists due to the incomplete fix for CVE-2017-7525 CVE-2017-15095 CVE-2017-17485 CVE-2018-5968 and CVE-2018-7489. Detection- The application is vulnerable by using this component when default typing is enabled and passing in untrusted data to be deserialized. Note- Spring Security has provided their own fix for this vulnerability _ CVE-2017-4995 _. If this component is being used as part of Spring Security then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x. Recommendation- There is no non vulnerable version of this component. Despite there being a fix provided by Jackson it uses a black-list approach. If there is another class not black-listed which performs deserialization on the classpath then this may lead to code execution. We recommend investigating alternative components or a potential mitigating control. Workaround- Do not use the default typing. Instead you will need to implement your own. It is also possible to customize global defaulting using ObjectMapper.setDefaultTyping_…_ – you just have to implement your own TypeResolverBuilder _which is not very difficult_; and by doing so can actually configure all aspects of type information. Builder itself is just a short-cut for building actual handlers. Reference- https-//github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization Examples of implementing your own typing can be found by looking at Spring Security_s fix or this Stack Overflow article . Root Cause- org.wso2.carbon.apimgt.rest.api.admin-6.4.40.war \n * jackson-databind-2.9.5.jar \n * SubTypeValidator.class - [2.9.5 2.9.6_ org.wso2.carbon.apimgt.rest.api.admin-6.4.40.war \n * jackson-databind-2.9.5.jar \n * SubTypeValidator.class - [2.9.5 2.9.6_ org.wso2.carbon.apimgt.rest.api.admin-6.4.40.war \n * jackson-databind-2.9.5.jar \n * SubTypeValidator.class - [2.9.5 2.9.6_ org.wso2.carbon.apimgt.rest.api.admin-6.4.40.war \n * jackson-databind-2.9.5.jar \n * SubTypeValidator.class - [2.9.5 2.9.6_ \nAdvisories- Project- https-//github.com/FasterXML/jackson-databind/issues/2052 CVSS Details Sonatype CVSS 3.0- 8.5 ] ____________________ [CVE-2018-12023 Vulnerability Issue CVE-2018-12023 Severity- Sonatype CVSS 3.0- 8.5 Weakness- Sonatype CWE- 502 Source- National Vulnerability Database Categories- Data Description Description from CVE jackson-databind - Remote Code Execution (RCE) \nExplanation- jackson-databind is vulnerable to Remote Code Execution _RCE_. The validateSubType__ function in the SubTypeValidator class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it. Note- This vulnerability exists due to the incomplete fix for CVE-2017-7525 CVE-2017-15095 CVE-2017-17485 CVE-2018-5968 and CVE-2018-7489. Detection- The application is vulnerable by using this component when default typing is enabled and passing in untrusted data to be deserialized. Note- Spring Security has provided their own fix for this vulnerability _ CVE-2017-4995 _. If this component is being used as part of Spring Security then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x. Recommendation- There is no non vulnerable version of this component. Despite there being a fix provided by Jackson it uses a black-list approach. If there is another class not black-listed which performs deserialization on the classpath then this may lead to code execution. We recommend investigating alternative components or a potential mitigating control. Workaround- Do not use the default typing. Instead you will need to implement your own. It is also possible to customize global defaulting using ObjectMapper.setDefaultTyping_…_ – you just have to implement your own TypeResolverBuilder _which is not very difficult_; and by doing so can actually configure all aspects of type information. Builder itself is just a short-cut for building actual handlers. Reference- https-//github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization Examples of implementing your own typing can be found by looking at Spring Security_s fix or this Stack Overflow article . Root Cause- org.wso2.carbon.apimgt.rest.api.admin-6.4.40.war \n * jackson-databind-2.9.5.jar \n * SubTypeValidator.class - [2.9.5 2.9.6_ org.wso2.carbon.apimgt.rest.api.admin-6.4.40.war \n * jackson-databind-2.9.5.jar \n * SubTypeValidator.class - [2.9.5 2.9.6_ org.wso2.carbon.apimgt.rest.api.admin-6.4.40.war \n * jackson-databind-2.9.5.jar \n * SubTypeValidator.class - [2.9.5 2.9.6_ org.wso2.carbon.apimgt.rest.api.admin-6.4.40.war \n * jackson-databind-2.9.5.jar \n * SubTypeValidator.class - [2.9.5 2.9.6_ \nAdvisories- Project- https-//github.com/FasterXML/jackson-databind/issues/2058 CVSS Details Sonatype CVSS 3.0- 8.5 ] ____________________

@cowtowncoder , will you have a new release to fix it? otherwise, I have to look for other JSON parser.

@test88d I don't understand what the hell you are writing here, since you have just cut'n pasted something and fucking demand me to work on whatever you think is a problem.

I'd rather you go and look another JSON parser if you are not actually helping in any way here.

This problem is in relation to #1599

Full CVE report is here: https://pivotal.io/security/cve-2017-4995

Spring Security is apparently invoking SecurityJackson2Modules.getModules(ClassLoader) or SecurityJackson2Modules.enableDefaultTyping(ObjectMapper). By that, the executions of these "serialization gadgets" is enabled again, or the "blacklist" mentioned in the CVE is nixed. By that, the security vulnerability is back.

Spring Security already issued a fix, but some of the static code analyzers still report an error.

Not sure how this can be solved in Jackson, seems like a change in the config should alleviate all possible issues, right?

NB. I am really just reading the CVE and trying to understand what is the problem, I am by no means a security or Jackson expert :)

@RockyMM thank you! And as usual, there's https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062