Jackson-databind: Block one more gadget type (xbean-reflect/JNDI - CVE-2020-8840)
Another gadget (*) type reported related to JNDI access.
See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.
Mitre id: CVE-2020-8840
Original discoverer: @threedr3am
Fixed in:
- 2.9.10.3 (
jackson-bomversion2.9.10.20200223) - 2.8.11.5 (
jackson-bomversion2.8.11.20200210) - 2.7.9.7
- does not affect 2.10.0 and later
cowtowncoder
All 6 comments
@cowtowncoder Is there an ETA on releasing 2.9.10.3? Thanks!
attritionorg
on 18 Feb 2020
I hope to have time to do the micro-patch release this by end of the week.
cowtowncoder
on 18 Feb 2020
Release making its way to Maven Central now.
cowtowncoder
on 23 Feb 2020
[NOTE: a placeholder until complete information gathered]
Another gadget (*) type reported related to JNDI access.
See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.Mitre id: CVE-2020-8840
Original discoverer: @threedr3amFixed in:
- 2.9.10.3 (released 2019-02-23;
jackson-bomversion2.9.10.20200223)- 2.8.11.5
- does not affect 2.10.0 and later
Was released 2020-02-23 wrongly written as released 2019-02-23?
nobdy
on 27 Feb 2020
What about 2.7.x?
GodIsDevil
on 27 Feb 2020
@nobdy yes, thank you for pointing that out.
@GodIsDevil no plans to backport to versions prior to 2.8.x.
cowtowncoder
on 27 Feb 2020
Related issues
pglizniewicz
路
5Comments
bungder
路
5Comments
victornoel
路
3Comments
drekka
路
3Comments
guoai2015
路
4Comments