Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2019-12384 #2421

Closed
chengbinghan opened this issue Aug 13, 2019 · 3 comments
Closed

CVE-2019-12384 #2421

chengbinghan opened this issue Aug 13, 2019 · 3 comments

Comments

@chengbinghan
Copy link

chengbinghan commented Aug 13, 2019
edited
Loading

Hi,
sorry for poor English.
jackson is a very easy use lib. we use it in our code. also we use kafka(2.1.0) ,kafka also use jackson lib

recently, we notice CVE-2019-12384 (#2334) .so we can update lib in our project to
2.9.9.1, 2.10.0, and back-ported in 2.7.9.6 and 2.8.11.4.
but after we searched all kafka version , there is no safe kafka,(all version of kafka use not safe jackson lib)
to slave this problem. we have to choice:
one is not use kafka
second is we Make a patch for kafka. for example, we use kafka-2.1.0(jackson version in kafka -2.1.0 is 2.9.7), after study how to make a patch on jackson-databind ,we make a patch on jackson-2.9.7。

how to make a patch on jackson-2.9.7?

thanks for very very very very much
@Alanscut
Copy link
Contributor

If you use jackson through maven or gradle, the patch won't work, because the jackson is downloaded from the maven repository which released by owner of jackson.
But you could apply the patch to your native jackson sourcecode, then generate a jackson jar file. then add the jackson jar file to the classpath of your native kafka sourcecode, again generate a kafka jar file. However, I don't suggest you do that.
The best way is to urge the author of kafka to switch the version of Jackson.

@cowtowncoder
Copy link
Member

One thing to note: I am 99% sure Kafka does not use features affected by this CVE (exploit and what is needed is explained here https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062).
So I do not think use of Kafka is unsafe, unless there is something that enables default typing. I do not remember seeing this (I have read some of Kafka Java code for clients, non-core components).

But you could also contact Kafka team (file an issue, for example), to request they upgrade the dependency.

Note, too, that issue tracker is not a good place to ask questions. Better place is mailing list:

https://groups.google.com/forum/#!forum/jackson-user

or Gitter forum

https://gitter.im/FasterXML/jackson-databind

@chengbinghan
Copy link
Author

thanks very much!

@laszlovandenhoek laszlovandenhoek mentioned this issue Sep 6, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cowtowncoder @Alanscut @chengbinghan