Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2019-10202 #2700

Closed
lafual opened this issue Apr 26, 2020 · 4 comments
Closed

CVE-2019-10202 #2700

lafual opened this issue Apr 26, 2020 · 4 comments
Labels
CVE Issues related to public CVEs (security vuln reports)
Milestone

Comments

@lafual
Copy link

lafual commented Apr 26, 2020

Hi,

My company's IT Security has implemented a vulnerability checker. Unfortunately I do not know what this software is. They haven't revealed the name.

However, it is blocking Jackson-databind-2.10.3 with the following issue. https://nvd.nist.gov/vuln/detail/CVE-2019-10202

Is 2.10.3 really vulnerable? The above link does refer to this package in name, but does the link above actually indicate which version is vulnerable?

@cowtowncoder
Copy link
Member

This problem has not been reported to Jackson maintainers directly, so I do not know exact details of the alleged vulnerability. However, from description that only mentions Jackson 1.x it looks like it might be a backport of some reported vulns for Jackson 2.x; latter of which would be fixed for 2.x

So: as of now I do not think this is relevant for Jackson 2.x until someone proves otherwise.

Worth noting, too, is that none of polymorphic deserialization vulns/CVEs reported against 2.x are applicable beyond 2.9.x -- 2.10.0 and later are not considered affected as per CVE definition (attacks can not be used with Jackson usage with default configuration: user will have to enable specific handling using deprecated methods).

I hope this helps. For more information, whoever filed the issue would need to share more information.

@cowtowncoder
Copy link
Member

I went ahead and dug up references to Jackson 2.x issues via CVE ids matched. Here's the list, along with versions fixed (all but one are against jackson-databind; one, as noted, is for (https://github.com/FasterXML/jackson-modules-java8/) module jackson-datatype-jsr310 (java 8 date/time):

note: fixes are in many cases backported to earlier 2.8 micro-patches, but I include 2.9.x fixes as the primary ones -- none affects 2.10.0 or later versions.

I do not know how to help with security scanners but perhaps you can pass on this issue. Like I said, people who filed the cve id request did not contact me or anyone from Jackson dev team (as far as I know), so I don't really know a good way to pass this information.
But creation of this ticket should make it easier to surface connections as necessary.

I did also add CVE ids in some places where they were missing in Jackson release notes: often times actual id is allocated after issue itself has been fixed (since disclosure timing should ideally occur after release of a fixed-in version)

@lafual
Copy link
Author

lafual commented Apr 26, 2020

Wow what an answer 💯 Thank you for taking the time to give me such comprehensive feedback 🥇

@lafual lafual closed this as completed Apr 26, 2020
@cowtowncoder
Copy link
Member

cowtowncoder commented Apr 26, 2020

@lafual np. I figured that it is likely you would not be the only user who ends up asking this question -- security tools are unfortunately black boxes often, and the real world situation with patches is a tangled mess. On plus side, I was able to fill in some blanks in release notes too. :)

Also... interesting. Did not realize Github has auto-linking for CVE ids. Neat.

@cowtowncoder cowtowncoder added the CVE Issues related to public CVEs (security vuln reports) label Apr 26, 2020
penberg added a commit to scylladb/scylla-jmx that referenced this issue Jul 14, 2020
Jackson 2.9.x has various vulnerabilities that are fixed in 2.10 series:

FasterXML/jackson-databind#2700 (comment)

Let's update to the latest version of Jackson. This is a similar fix to
Github's Dependabot proposal, except we bump the version number across
all Jackson components:

#116
@cowtowncoder cowtowncoder added this to the 2.9.9 milestone Dec 2, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
CVE Issues related to public CVEs (security vuln reports)
Projects
None yet
Development

No branches or pull requests

2 participants