Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Block two more gadget types (commons-dbcp, p6spy, CVE-2019-16942 / CVE-2019-16943) #2478

Closed
bsmali4 opened this issue Sep 27, 2019 · 14 comments
Labels
CVE Issues related to public CVEs (security vuln reports)
Milestone

Comments

@bsmali4
Copy link

bsmali4 commented Sep 27, 2019

Another 2 gadget (*) types reported regarding classes of commons-dbcp and p6spy packages.
See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.

Mitre id: CVE-2019-16942 (commons-dbcp)
Mitre id: CVE-2019-16943 (p6spy)
Reporter: b5mali4

Fixed in:

  • 2.9.10.1 (use jackson-bom version 2.9.10.20191020)
  • 2.6.7.3
  • 2.8.11.5
  • does not affect 2.10.0 and later
@cowtowncoder
Copy link
Member

Email received (read that before seeing this issue).
Will change descriptions slightly.

@cowtowncoder cowtowncoder changed the title Block two new serialization gadgets Block two more gadget types (commons,dbcp, p6spy) Sep 27, 2019
@cowtowncoder cowtowncoder added 2.9 CVE Issues related to public CVEs (security vuln reports) labels Sep 27, 2019
@cowtowncoder cowtowncoder changed the title Block two more gadget types (commons,dbcp, p6spy) Block two more gadget types (commons-dbcp, p6spy) Sep 29, 2019
@cowtowncoder cowtowncoder added this to the 2.9.10 milestone Sep 29, 2019
cowtowncoder added a commit that referenced this issue Sep 29, 2019
cowtowncoder added a commit that referenced this issue Sep 29, 2019
@cowtowncoder cowtowncoder changed the title Block two more gadget types (commons-dbcp, p6spy) Block two more gadget types (commons-dbcp, p6spy, CVE-2019-16942 / CVE-2019-16943) Sep 30, 2019
@melloware
Copy link

@cowtowncoder I think you have the Milstone of 2.9.10 wrong on this ticket as it was fixed after 2.9.10. Wouldn't it be 2.9.10.1 ?

@cowtowncoder
Copy link
Member

@melloware Yes, you are right. Will fix the milestone, for some reason set it incorrectly (possibly due to auto-completion).

@cowtowncoder cowtowncoder modified the milestones: 2.9.10, 2.9.10.1 Oct 7, 2019
marco-schmidt added a commit to marco-schmidt/am that referenced this issue Oct 9, 2019
by upgrading dependency jackson-databind/ to 2.10.0: FasterXML/jackson-databind#2478
marco-schmidt added a commit to marco-schmidt/amweb that referenced this issue Oct 9, 2019
by upgrading dependency jackson-databind/ to 2.10.0 FasterXML/jackson-databind#2478
@foxylion
Copy link

@cowtowncoder Is there a planned release date for 2.9.10.1?

@cowtowncoder
Copy link
Member

There is no strict rule; ideally I'd want more than just one fix in a new release, but I understand that for CVEs there is bit more urgency. Since 2.9.10 was released on September 21, I think realistic timeline would be within October. So I am thinking of releasing a micro-patch by end of next week, so around 19th or so.

@foxylion
Copy link

Thanks @cowtowncoder. That sounds reasonable.

@msymons
Copy link

msymons commented Oct 14, 2019

@cowtowncoder, will there be an updated jackson-bom to match the micro-patch? ie, similar to 2.9.9.20190807.
@bsmali4, does CVE-2019-16942 occurs when commons-dbcp (1.4) jar is in the classpath. Does the risk not occur with older versions of dbcp? or with dbcp2?

@bsmali4
Copy link
Author

bsmali4 commented Oct 15, 2019

@msymons I regret to tell you,the risk occur with older versions of dbcp,dbcp2.

alxgln added a commit to boclips/kaltura-client that referenced this issue Oct 15, 2019
@cowtowncoder
Copy link
Member

@msymons yes, I plan to also publish matching jackson-bom.

martokarski pushed a commit to atlassian/jackson-1 that referenced this issue May 8, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
CVE Issues related to public CVEs (security vuln reports)
Projects
None yet
Development

No branches or pull requests

7 participants