-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Block one more gadget type (mysql, CVE-2019-12086) #2326
Comments
Fixed this in |
Is this fix included in 2.9.9? I didn't find any information about this in Release note. |
@0x554simon yes it is. Thank you for pointing out it was missing from release notes file, even tho it was included on release page (https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9) |
@cowtowncoder https://nvd.nist.gov/vuln/detail/CVE-2019-12086 is saying/suggesting that the vulnerability can be exploited only if the mysql-connector-java jar 8.0.14 or earlier is in the classpath. |
@tcherel I based CVE on report I received which seemed to indicate something had been fixed but I did not verify difference myself. So I wonder if original reporter included latest version that had the problem and assumed (or implied) that fix would be in next version? |
Thanks @cowtowncoder. Do you have an email or contact info that I can use to reach out to the original reporter? |
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9 Notably, this includes a fix for CVE-2019-12086. See FasterXML/jackson-databind#2326 for details.
Original reporter here refers to person who sent me the information: I filed for CVE. http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/ with instructions that included
|
I see. I think I figured out why it is not exploitable with 8.0.15 or higher. Default value of the connection property allowLoadLocalInfile has been changed to false. Thanks for the help. |
Do you plan to backport this to |
Important fix: FasterXML/jackson-databind#2326
Important fix: FasterXML/jackson-databind#2326 Reviewers: Colin P. McCabe <cmccabe@apache.org>
Important fix: FasterXML/jackson-databind#2326 Reviewers: Colin P. McCabe <cmccabe@apache.org>
No backporting to versions prior to 2.9.x planned. |
Hi @cowtowncoder, I found this on the web https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 that seems written by you. I am wondering if (3) under "What to do to Protect My System?" is also a valid protection against CVE-2019-12086. I assume it is. But I want to double check. If I read the description of the CVE (https://nvd.nist.gov/vuln/detail/CVE-2019-12086) it does not name (3) as a protection. Also could you please tell me if classes with @JsonTypeInfo (or subclasses of them) with properties of type Object are affected if they are annotated with @JsonIgore? For example, would the following be vulnerable:
And my last question: would a class be vulnerable if the class does not have a property of type object directly but indirectly? I assume it is. But I want to double check. For example, would the following be vulnerable:
|
Important fix: FasterXML/jackson-databind#2326 Reviewers: Colin P. McCabe <cmccabe@apache.org>
First of all: yes, that blog entry covers this CVE as well, there is nothing special (I'll need to add more detail here). Second: members of polymorphic types DO NOT automatically inherent polymorphic handling -- so
So neither of your cases is affected by any of these CVEs. In fact, even I hope this helps. |
Fixes CVE-2019-12086; see FasterXML/jackson-databind#2326 Signed-off-by: Craig Andrews <candrews@integralblue.com>
Fixes CVE-2019-12086; see FasterXML/jackson-databind#2326 Signed-off-by: Craig Andrews <candrews@integralblue.com>
Important fix: FasterXML/jackson-databind#2326 Reviewers: Colin P. McCabe <cmccabe@apache.org>
Fixes CVE-2019-12086; see FasterXML/jackson-databind#2326 Signed-off-by: Craig Andrews <candrews@integralblue.com>
…nerabilities FasterXML/jackson-databind#2326: Block class for CVE-2019-12086 FasterXML/jackson-databind#2334: Block class for CVE-2019-12384 FasterXML/jackson-databind#2341: Block class for CVE-2019-12814 FasterXML/jackson-databind#2387: Block class for CVE-2019-14379 FasterXML/jackson-databind#2389: Block class for CVE-2019-14439
A new gadget type (see https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062) was reported, and CVE id allocated was
CVE-2019-12086
.CVE description is available at: https://nvd.nist.gov/vuln/detail/CVE-2019-12086 for full details, but the specific variation (in addition to needing "default typing", attacker being able to craft specific json message) is that:
mysql-connector-java
in its classpathvulnerability applies, and attacker is able to read arbitrary files from service's local file system.
Original vulnerability discoverer: 618 from College of software, Nankai University
Fixed in:
The text was updated successfully, but these errors were encountered: