Jackson-databind: Block one more gadget type (logback, CVE-2019-12384)

Created on 28 May 2019  路  10Comments  路  Source: FasterXML/jackson-databind

A new gadget type (see https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062) was reported, and CVE id allocated was CVE-2019-12384.
CVE description is available at: https://nvd.nist.gov/vuln/detail/CVE-2019-12384 for full details, but the specific variation (in addition to needing "default typing", attacker being able to craft specific json message) is that:

  • If service has jar logback-classic in its classpath

vulnerability applies.

Fixed in:

  • 2.9.10
  • 2.8.11.4
  • 2.7.9.6
  • 2.6.7.3
CVE
Source
picture cowtowncoder

Most helpful comment

Release 2.9.9.1 in-progress.

picture cowtowncoder on 3 Jul 2019
👍3

All 10 comments

Excuse me, may I ask when will this issue be solved?

hwwxj picture hwwxj on 11 Jun 2019

I hope to have to work on this (and perhaps the other CVE to file) later this week.

cowtowncoder picture cowtowncoder on 11 Jun 2019

Fixed in 2.9 (for likely micro-patch 2.9.9.1), as well as backported in 2.8 and 2.7 (in case new versions might be released; or to make it easier for users to build from those branches).

cowtowncoder picture cowtowncoder on 13 Jun 2019

ok, thank you very much. By the way, when will the patch 2.9.9.1 be released? we need this urgently.

hwwxj picture hwwxj on 17 Jun 2019

I'll be going on vacation later today, back on July 1st, so at earliest in early July (but possibly mid-July, depending on if it'll be 2.9.10 or 2.9.9.1).

cowtowncoder picture cowtowncoder on 18 Jun 2019

Release 2.9.9.1 in-progress.

cowtowncoder picture cowtowncoder on 3 Jul 2019
👍3

@cowtowncoder Are you planning on releasing a 2.9.9.1 for the jackson-bom artifact containing this jackson-databind release? Thanks

jebeaudet picture jebeaudet on 4 Jul 2019
👍1

@jebeaudet I am bit on fence on that -- if you would find it useful, please file an issue and I can create one?

cowtowncoder picture cowtowncoder on 7 Jul 2019

Excuse me, may I ask when will jackson 2.9.10 be released?

hwwxj picture hwwxj on 5 Aug 2019

@hwwxj Not clear yet -- not enough bug fixes to warrant full release. But micro-patches 2.9.9.1 and 2.9.9.2 exist with the fix (plus there will be imminent 2.9.9.3 to address #2395 that was included in 2.9.9.2).

cowtowncoder picture cowtowncoder on 5 Aug 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

trevora-edge picture trevora-edge  路  5Comments
dweiss picture dweiss  路  5Comments
drekka picture drekka  路  3Comments
victornoel picture victornoel  路  3Comments
laoyur picture laoyur  路  3Comments