Jackson-databind: Block one more gadget type (shaded-hikari-config, CVE-2020-9546)
(note: placeholder until verified/validated, fix provided)
Another gadget type reported regarding a class of [TO BE ADDED].
See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.
Mitre id: CVE-2020-9546
Reporters: threedr3am & LFY
Fix will be included in:
- 2.9.10.4
- 2.8.11.6 (
jackson-bomversion2.8.11.20200310) - 2.7.9.7
- Does not affect 2.10.0 and later
cowtowncoder
All 8 comments
CVE-2020-9546 seem to have been assigned.
carnil
on 2 Mar 2020
@carnil thank you: yes, I did get a response that this is the cve id allocated.
cowtowncoder
on 3 Mar 2020
(note: placeholder until verified/validated, fix provided)
Another gadget type reported regarding a class of [TO BE ADDED].
See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.Mitre id: CVE-2020-9546
Reporters: threedr3am & LFYFix will be included in:
- 2.9.10.4
- Does not affect 2.10.0 and later
Hi @cowtowncoder ,
I am using jackson-databind 2.10 and I noticed that the fix was included in version 2.10.3,
but according to this report, 2.10.0 and later are not affected.
Can you please advise if any of 2.10.x are vulnerable following this issue?
romansok
on 8 Mar 2020
@romansok 2.10.x (and later versions)) is not affected by this CVE, exactly as description says.
For convenience, block-list is still included (otherwise merging from earlier versions would always need manual resolution) and hence merged. Same is true all the way to master branch (3.0)
cowtowncoder
on 8 Mar 2020
Hi,
Apparently this is closed in 2.9.10.4 but I don't think that version has been released.
https://search.maven.org/artifact/com.fasterxml.jackson.core/jackson-databind
Should I open a different issue?
Thanks
gonfva-bcl
on 16 Mar 2020
@gonfva-bcl Open different issue for what? No need wrt making 2.9.10.4 release -- it is delayed partly because there has been recent flood of submissions, not because release is forgotten. There are for now 7 additions, this included. 2 are work in progress wrt cve id.
I also try to focus hard on getting 2.11.0.rc1 out ASAP since there is not much value in updating block lists like here -- researchers will find more, from all tens of thousands of OSS libraries, with diminishing return (since actual vulnerabilities only affect small subset of users, both wrt default typing being minority option and existence of specific jar in classpath).
I was hoping to get 2.9.10.4 released over the weekend but that did not happen. Next ETA would be next weekend, i.e in 5 days.
cowtowncoder
on 16 Mar 2020
@cowtowncoder
Would you please tell us when will the 2.9.10.4 be released?
We have to upgrade jackson-databind to this version. Thank you very much.
lobozhu
on 23 Mar 2020
@lobozhu yes, I will do that when I have time to release it. At this point, it won't be until next weekend, likely, since there is one more open report to handle.
cowtowncoder
on 23 Mar 2020
Related issues
dweiss
路
5Comments
aburnett
路
5Comments
maksim88
路
3Comments
kennethjor
路
5Comments
bungder
路
5Comments
Most helpful comment
@gonfva-bcl Open different issue for what? No need wrt making 2.9.10.4 release -- it is delayed partly because there has been recent flood of submissions, not because release is forgotten. There are for now 7 additions, this included. 2 are work in progress wrt cve id.
I also try to focus hard on getting 2.11.0.rc1 out ASAP since there is not much value in updating block lists like here -- researchers will find more, from all tens of thousands of OSS libraries, with diminishing return (since actual vulnerabilities only affect small subset of users, both wrt default typing being minority option and existence of specific jar in classpath).
I was hoping to get 2.9.10.4 released over the weekend but that did not happen. Next ETA would be next weekend, i.e in 5 days.