Skip to content

Commit

Permalink
Backport all CVE fixes up to 2.9.10.6 (#2864)
Browse files Browse the repository at this point in the history
  • Loading branch information
@millems
millems authored Sep 29, 2020
1 parent 1f06b42 commit 74aba40
Show file tree
Hide file tree
Showing 2 changed files with 145 additions and 27 deletions.
76 changes: 54 additions & 22 deletions release-notes/VERSION
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,28 +4,60 @@ Project: jackson-databind
=== Releases ===
------------------------------------------------------------------------

2.6.8.3 (16-Nov-2019)

Backport of full set of CVEs as of 2.9.10, including now

#1680
#1855
#1899
#2032
#2052
#2058
#2097
#2186
#2326
#2334
#2341
#2487
#2389
#2410
#2449
#2462
#2478
#2498
2.6.7.4 (not yet released)

Backported all CVE fixes up to 2.9.10.6

#2469: Block one more gadget type (xalan2)
#2526: Block two more gadget types (ehcache/JNDI - CVE-2019-20330)
#2620: Block one more gadget type (xbean-reflect/JNDI - CVE-2020-8840)
#2631: Block one more gadget type (shaded-hikari-config, CVE-2020-9546)
#2634: Block two more gadget types (ibatis-sqlmap, anteros-core; CVE-2020-9547 / CVE-2020-9548)
#2642: Block one more gadget type (javax.swing, CVE-2020-10969)
#2648: Block one more gadget type (shiro-core)
#2653: Block one more gadget type (shiro-core, 2nd class)
#2658: Block one more gadget type (ignite-jta, CVE-2020-10650)
#2659: Block one more gadget type (aries.transaction.jms, CVE-2020-10672)
#2660: Block one more gadget type (caucho-quercus, CVE-2020-10673)
#2662: Block one more gadget type (bus-proxy, CVE-2020-10968)
#2664: Block one more gadget type (activemq-pool[-jms], CVE-2020-11111)
#2666: Block one more gadget type (apache/commons-proxy, CVE-2020-11112)
#2670: Block one more gadget type (openjpa, CVE-2020-11113)
#2680: Block one more gadget type (SSRF, spring-jpa, CVE-2020-11619)
#2682: Block one more gadget type (commons-jelly, CVE-2020-11620)
#2688: Block one more gadget type (apache-drill, CVE-2020-14060)
#2698: Block one more gadget type (weblogic/oracle-aqjms, CVE-2020-14061)
#2704: Block one more gadget type (jaxp-ri, CVE-2020-14062)
#2765: Block one more gadget type (org.jsecurity, CVE-2020-14195)
#2798: Block one more gadget type (com.pastdev.httpcomponents, CVE-2020-24750)
#2814: Block one more gadget type (Anteros-DBCP, CVE-2020-24616)
#2826: Block one more gadget type (com.nqadmin.rowset, no CVE allocated yet)
#2827: Block one more gadget type (org.arrahtec:profiler-core, no CVE allocated yet)

2.6.7.3 (16-Oct-2019)

Backported all CVE fixes up to 2.9.10

#1680: Block more JDK gadget types (com.sun.rowset)
#1855: Block more serialization gadgets (dbcp/tomcat, spring / CVE-2017-17485]
#1899: Another two gadgets to exploit default typing issue in jackson-databind (CVE-2018-5968)
#2032: Block one more gadget type (mybatis, CVE-2018-11307)
#2052: Block one more gadget type (jodd-db, CVE-2018-12022)
#2058: Block one more gadget type (oracle-jdbc, CVE-2018-12023)
#2097: Block more classes from polymorphic deserialization (CVE-2018-14718 - CVE-2018-14721)
#2186: Block more classes from polymorphic deserialization (CVE-2018-19360, CVE-2018-19361, CVE-2018-19362)
#2326: Block one more gadget type (mysql, CVE-2019-12086)
#2334: Block one more gadget type (logback, CVE-2019-12384)
#2341: Block yet another gadget type (jdom, CVE-2019-12814)
#2387: Block one more gadget type (ehcache, CVE-2019-14379)
#2389: Block one more gadget type (logback, CVE-2019-14439)
#2410: Block one more gadget type (HikariCP, CVE-2019-14540)
#2420: Block one more gadget type (cxf-jax-rs, no CVE allocated yet)
#2449: Block one more gadget type (HikariCP, CVE-2019-14439 / CVE-2019-16335)
#2462: Block two more gadget types (commons-configuration/-2)
#2478: Block two more gadget types (commons-dbcp, p6spy, CVE-2019-16942 / CVE-2019-16943)
#2498: Block one more gadget type (apache-log4j-extras/1.2, CVE-2019-17531)


2.6.7.2 (13-Nov-2018)

Expand Down
96 changes: 91 additions & 5 deletions src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,11 +65,14 @@ public class BeanDeserializerFactory
s.add("java.util.logging.FileHandler");
s.add("java.rmi.server.UnicastRemoteObject");
// [databind#1737]; 3rd party
s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");
//s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); // deprecated by [databind#1855]
s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
// [databind#2680]
s.add("org.springframework.aop.config.MethodLocatingFactoryBean");
s.add("org.springframework.beans.factory.config.BeanReferenceFactoryBean");

// s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); // deprecated by [databind#1931]
// s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); // - "" -
// [databind#1855]: more 3rd party
s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
Expand All @@ -92,10 +95,11 @@ public class BeanDeserializerFactory
s.add("com.sun.deploy.security.ruleset.DRSHelper");
s.add("org.apache.axis2.jaxws.spi.handler.HandlerResolverImpl");

// [databind#2186]: yet more 3rd party gadgets
// [databind#2186], [databind#2670]: yet more 3rd party gadgets
s.add("org.jboss.util.propertyeditor.DocumentEditor");
s.add("org.apache.openjpa.ee.RegistryManagedRuntime");
s.add("org.apache.openjpa.ee.JNDIManagedRuntime");
s.add("org.apache.openjpa.ee.WASRegistryManagedRuntime"); // [#2670] addition
s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo");

// [databind#2326]
Expand Down Expand Up @@ -127,8 +131,10 @@ public class BeanDeserializerFactory
s.add("org.apache.commons.configuration.JNDIConfiguration");
s.add("org.apache.commons.configuration2.JNDIConfiguration");

// [databind#2469]: xalan2
// [databind#2469]: xalan
s.add("org.apache.xalan.lib.sql.JNDIConnectionPool");
// [databind#2704]: xalan2
s.add("com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool");

// [databind#2478]: comons-dbcp, p6spy
s.add("org.apache.commons.dbcp.datasources.PerUserPoolDataSource");
Expand All @@ -139,6 +145,86 @@ public class BeanDeserializerFactory
s.add("org.apache.log4j.receivers.db.DriverManagerConnectionSource");
s.add("org.apache.log4j.receivers.db.JNDIConnectionSource");

// [databind#2526]: some more ehcache
s.add("net.sf.ehcache.transaction.manager.selector.GenericJndiSelector");
s.add("net.sf.ehcache.transaction.manager.selector.GlassfishSelector");

// [databind#2620]: xbean-reflect
s.add("org.apache.xbean.propertyeditor.JndiConverter");

// [databind#2631]: shaded hikari-config
s.add("org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig");

// [databind#2634]: ibatis-sqlmap, anteros-core/-dbcp
s.add("com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig");
s.add("br.com.anteros.dbcp.AnterosDBCPConfig");
// [databind#2814]: anteros-dbcp
s.add("br.com.anteros.dbcp.AnterosDBCPDataSource");

// [databind#2642][databind#2854]: javax.swing (jdk)
s.add("javax.swing.JEditorPane");
s.add("javax.swing.JTextPane");

// [databind#2648], [databind#2653]: shiro-core
s.add("org.apache.shiro.realm.jndi.JndiRealmFactory");
s.add("org.apache.shiro.jndi.JndiObjectFactory");

// [databind#2658]: ignite-jta (, quartz-core)
s.add("org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup");
s.add("org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory");
s.add("org.quartz.utils.JNDIConnectionProvider");

// [databind#2659]: aries.transaction.jms
s.add("org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory");
s.add("org.apache.aries.transaction.jms.RecoverablePooledConnectionFactory");

// [databind#2660]: caucho-quercus
s.add("com.caucho.config.types.ResourceRef");

// [databind#2662]: aoju/bus-proxy
s.add("org.aoju.bus.proxy.provider.RmiProvider");
s.add("org.aoju.bus.proxy.provider.remoting.RmiProvider");

// [databind#2664]: activemq-core, activemq-pool, activemq-pool-jms

s.add("org.apache.activemq.ActiveMQConnectionFactory"); // core
s.add("org.apache.activemq.ActiveMQXAConnectionFactory");
s.add("org.apache.activemq.spring.ActiveMQConnectionFactory");
s.add("org.apache.activemq.spring.ActiveMQXAConnectionFactory");
s.add("org.apache.activemq.pool.JcaPooledConnectionFactory"); // pool
s.add("org.apache.activemq.pool.PooledConnectionFactory");
s.add("org.apache.activemq.pool.XaPooledConnectionFactory");
s.add("org.apache.activemq.jms.pool.XaPooledConnectionFactory"); // pool-jms
s.add("org.apache.activemq.jms.pool.JcaPooledConnectionFactory");

// [databind#2666]: apache/commons-jms
s.add("org.apache.commons.proxy.provider.remoting.RmiProvider");

// [databind#2682]: commons-jelly
s.add("org.apache.commons.jelly.impl.Embedded");

// [databind#2688]: apache/drill
s.add("oadd.org.apache.xalan.lib.sql.JNDIConnectionPool");

// [databind#2698]: weblogic w/ oracle/aq-jms
// (note: dependency not available via Maven Central, but as part of
// weblogic installation, possibly fairly old version(s))
s.add("oracle.jms.AQjmsQueueConnectionFactory");
s.add("oracle.jms.AQjmsXATopicConnectionFactory");
s.add("oracle.jms.AQjmsTopicConnectionFactory");
s.add("oracle.jms.AQjmsXAQueueConnectionFactory");
s.add("oracle.jms.AQjmsXAConnectionFactory");

// [databind#2765]: org.jsecurity:
s.add("org.jsecurity.realm.jndi.JndiRealmFactory");

// [databind#2798]: com.pastdev.httpcomponents:
s.add("com.pastdev.httpcomponents.configuration.JndiConfiguration");

// [databind#2826], [databind#2827]
s.add("com.nqadmin.rowset.JdbcRowSetImpl");
s.add("org.arrah.framework.rdbms.UpdatableJdbcRowsetImpl");

DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
}

Expand Down

0 comments on commit 74aba40

Please sign in to comment.