Jackson-databind: Block two more gadget types (commons-dbcp, p6spy, CVE-2019-16942 / CVE-2019-16943)

Created on 27 Sep 2019  路  14Comments  路  Source: FasterXML/jackson-databind

Another 2 gadget (*) types reported regarding classes of commons-dbcp and p6spy packages.
See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.

Mitre id: CVE-2019-16942 (commons-dbcp)
Mitre id: CVE-2019-16943 (p6spy)
Reporter: b5mali4

Fixed in:

  • 2.9.10.1 (use jackson-bom version 2.9.10.20191020)
  • 2.6.7.3
  • 2.8.11.5
  • does not affect 2.10.0 and later
CVE
Source
picture bsmali4

Most helpful comment

@msymons yes, I plan to also publish matching jackson-bom.

picture cowtowncoder on 15 Oct 2019
4

All 14 comments

Email received (read that before seeing this issue).
Will change descriptions slightly.

cowtowncoder picture cowtowncoder on 27 Sep 2019

@cowtowncoder I think you have the Milstone of 2.9.10 wrong on this ticket as it was fixed after 2.9.10. Wouldn't it be 2.9.10.1 ?

melloware picture melloware on 7 Oct 2019

@melloware Yes, you are right. Will fix the milestone, for some reason set it incorrectly (possibly due to auto-completion).

cowtowncoder picture cowtowncoder on 8 Oct 2019

@cowtowncoder Is there a planned release date for 2.9.10.1?

foxylion picture foxylion on 11 Oct 2019

There is no strict rule; ideally I'd want more than just one fix in a new release, but I understand that for CVEs there is bit more urgency. Since 2.9.10 was released on September 21, I think realistic timeline would be within October. So I am thinking of releasing a micro-patch by end of next week, so around 19th or so.

cowtowncoder picture cowtowncoder on 11 Oct 2019
👍2

Thanks @cowtowncoder. That sounds reasonable.

foxylion picture foxylion on 14 Oct 2019

@cowtowncoder, will there be an updated jackson-bomto match the micro-patch? ie, similar to 2.9.9.20190807.
@bsmali4, does CVE-2019-16942 occurs when commons-dbcp (1.4) jar is in the classpath. Does the risk not occur with older versions of dbcp? or with dbcp2?

msymons picture msymons on 14 Oct 2019
👍2

@msymons I regret to tell you锛宼he risk occur with older versions of dbcp,dbcp2.

bsmali4 picture bsmali4 on 15 Oct 2019

@msymons yes, I plan to also publish matching jackson-bom.

cowtowncoder picture cowtowncoder on 15 Oct 2019
4

Well, it's October 36th ... I'm still hoping for a 2.9.10.1 .. and the not-yet-released notes for 2.10.1 don't mention issue #2478 (yet) — can you confirm that 2.10.* avoids this issue (this whole class of issue, IIUC)?

(I'm not panicking, though, just a little nervous from the fall.)

larrywest picture larrywest on 6 Nov 2019
👎1

@larrywest 2.9.10.1 is out and I am using it?

melloware picture melloware on 6 Nov 2019
😄1 👍1

Yes, 2.9.10.1 is out. But being a micro-patch (having that last 4th digit), only jackson-databind was released, not full suite, along with jackson-bom version of:

https://mvnrepository.com/artifact/com.fasterxml.jackson/jackson-bom/2.9.10.20191020

which does have full compatible version set (2.9.10 of everything else, 2.9.10.1 of databind).

cowtowncoder picture cowtowncoder on 6 Nov 2019
👍1

CVE-2019-16942 and CVE-2019-16943 are not applicable for 2.10.0 right? Basically hoping these are fixed if we use 2.10.0. or later

Nildha picture Nildha on 21 Nov 2019

@Nildha this is correct: 2.10.0 and later not considered vulnerable.

cowtowncoder picture cowtowncoder on 21 Nov 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

pglizniewicz picture pglizniewicz  路  5Comments
kennethjor picture kennethjor  路  5Comments
test88d picture test88d  路  5Comments
trevora-edge picture trevora-edge  路  5Comments
victornoel picture victornoel  路  3Comments