Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Block one more gadget type (oracle-jdbc, CVE-2018-12023) #2058

Closed
cowtowncoder opened this issue Jun 8, 2018 · 1 comment
Closed

Block one more gadget type (oracle-jdbc, CVE-2018-12023) #2058

cowtowncoder opened this issue Jun 8, 2018 · 1 comment
Labels
CVE Issues related to public CVEs (security vuln reports)
Milestone
2.9.6

Comments

@cowtowncoder
Copy link
Member

cowtowncoder commented Jun 8, 2018
edited
Loading

There is a potential remote code execution (RCE) vulnerability, if user is

  1. handling untrusted content (where attacker can craft JSON)
  2. using "Default Typing" feature (or equivalent; polymorphic value with base type of java.lang.Object
  3. has oracle JDBC driver jar in classpath
  4. allows connections from service to untrusted hosts (where attacker can run an LDAP service)

(note: steps 1 and 2 are common steps as explained in https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)

To solve the issue, 2 types from JDBC driver are blacklisted to avoid their use as "serialization gadgets".

Original vulnerability discoverer:
吴桂雄 Wuguixiong

Fixed in:

  • 2.9.6 and later
  • 2.8.11.2
  • 2.7.9.4
  • 2.6.7.3
cowtowncoder added a commit that referenced this issue Jun 8, 2018
@cowtowncoder
Backport #2052, #2058 fixes for 2.7.9.4
28badf7
@cowtowncoder
Copy link
Member Author

cowtowncoder commented Jun 8, 2018
edited
Loading

Fix committed earlier as:

7487cf7

and is included in versions:

  • 2.7.9.4
  • 2.8.11.2
  • 2.9.6

once released.

@cowtowncoder cowtowncoder added the CVE Issues related to public CVEs (security vuln reports) label Jun 12, 2018
@mlushpenko mlushpenko mentioned this issue Dec 24, 2018
Closed
@test88d test88d mentioned this issue Apr 8, 2019
Closed
@cowtowncoder cowtowncoder changed the title CVE-2018-12023: Block polymorphic deserialization of types from Oracle JDBC driver Block one more gadget type (oracle-jdbc, CVE-2018-12023) Sep 12, 2019
@cowtowncoder cowtowncoder mentioned this issue Sep 19, 2019
Closed
ablekhman added a commit to atlassian/jackson-1 that referenced this issue Oct 23, 2019
@ablekhman
Block one more gadget type (oracle-jdbc, CVE-2018-12023)
aefa025 
Merged from FasterXML/jackson-databind#2058
@cowtowncoder cowtowncoder added this to the 2.9.6 milestone Dec 2, 2020
This was referenced May 10, 2022
Open
Open
@scott-cx scott-cx mentioned this issue Aug 1, 2022
Open
@cxronen cxronen mentioned this issue Sep 20, 2022
Open
@margaritalm margaritalm mentioned this issue Dec 25, 2022
Open
@cxronen cxronen mentioned this issue Apr 13, 2023
Open
@cxronen cxronen mentioned this issue May 25, 2023
Open
@cxronen cxronen mentioned this issue May 25, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CVE Issues related to public CVEs (security vuln reports)
Projects
None yet
Milestone
2.9.6
Development

No branches or pull requests
1 participant
@cowtowncoder