Jackson-databind: Resolve Default Typing data-leak vulnerability (CVE-2019-12814)

Created on 27 Jun 2019  路  7Comments  路  Source: FasterXML/jackson-databind

A data vulnerability has been reported when Default Typing is enabled for externally exposed JSON endpoints.

Further details here

picture AKGarland

Most helpful comment

@alainmoran There will eventually be a full release when there are enough fixes to warrant my using half a work-day for unpaid work. But some users really wanted to get an update sooner so I instead spent 30 minutes to get an update. You are very welcome.

But I don't necessarily give a flying fuck about what some half-assed pisspoor security tool says or does -- it pisses me greatly that I have to waste my time to work around their limitations. Time that I could use for actually useful things.

And even adding this comment is similar pointless overhead.

picture cowtowncoder on 14 Jul 2019
👍3

All 7 comments

Issue #2341 dealt with this.

jdelta-RBS picture jdelta-RBS on 27 Jun 2019

Yes, I think this is dup of #2341, fixed in codebase and waiting for release of either 2.9.9.1 or 2.9.10 (depending on whether there are enough fixes to warrant a full release (latter), or just a jackson-databind micro-patch (former).

I have been on vacation for past 10 days (and will be out for another week now), so fix is likely to be out by mid-July

cowtowncoder picture cowtowncoder on 1 Jul 2019

Unfortunately the decision to release this as 2.9.9.1 means that the owasp dependency-check-maven plugin still flags this version as vulnerable.

To my mind resolving a vulnerability should be enough to merit a full release.

alainmoran picture alainmoran on 12 Jul 2019

@alainmoran There will eventually be a full release when there are enough fixes to warrant my using half a work-day for unpaid work. But some users really wanted to get an update sooner so I instead spent 30 minutes to get an update. You are very welcome.

But I don't necessarily give a flying fuck about what some half-assed pisspoor security tool says or does -- it pisses me greatly that I have to waste my time to work around their limitations. Time that I could use for actually useful things.

And even adding this comment is similar pointless overhead.

cowtowncoder picture cowtowncoder on 14 Jul 2019
👍3

I tried 2.9.9.1. OWASP Dependency Checker still calls it out due to the versioning (that pesky semantic versioning). This means that other tools will call it out as well. Note that most companies now have to use tools like this to scan jar files for vulnerabilities because of regulations that have extremely large penalties associated with them. Do a google on the recent penalties from GDPR violations. You might be shocked.

What is the ETA for getting a 2.9.10 version and can you explain why it takes different amounts of time for those two version differences (2.9.9.1 versus 2.9.10)?

mecorusfc picture mecorusfc on 14 Jul 2019

@mecorusfc be so kind and create an issue to OWASP dependency-check for a false positive.

elion picture elion on 15 Jul 2019

I was able to get a clean scan now. First one didn't rebuild due to no code changes so I forced a rebuild and that caught the new dependency. No need for a false positive report. Looks like it is working now. Thanks for the quick response. Mike

mecorusfc picture mecorusfc on 15 Jul 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

cowtowncoder picture cowtowncoder  路  4Comments
bungder picture bungder  路  5Comments
lufeirider picture lufeirider  路  3Comments
laoyur picture laoyur  路  3Comments
lathspell picture lathspell  路  6Comments