Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Block more serialization gadgets (dbcp/tomcat, spring / CVE-2017-17485) #1855

Closed
cowtowncoder opened this issue Dec 12, 2017 · 13 comments
Closed

Block more serialization gadgets (dbcp/tomcat, spring / CVE-2017-17485) #1855

cowtowncoder opened this issue Dec 12, 2017 · 13 comments
Labels
CVE Issues related to public CVEs (security vuln reports)
Milestone
2.8.11

Comments

@cowtowncoder
Copy link
Member

cowtowncoder commented Dec 12, 2017
edited

More potential deserialization gadgets reported for:

  • DBCP types (similar to c3p0 ones already included)
  • Spring framework AOP helpers
  • Spring framework application context

For some of these need to check parent hierarchy.

Fixed in:

  • 2.9.4
  • 2.8.11
  • 2.7.9.2
  • 2.6.7.3
  • Not applicable to 2.10.0 or later
@cowtowncoder cowtowncoder added 2.8 CVE Issues related to public CVEs (security vuln reports) labels Dec 12, 2017
cowtowncoder added a commit that referenced this issue Dec 13, 2017
@cowtowncoder
Fix 1/3 of #1855
f031f27
@cowtowncoder cowtowncoder changed the title Placeholder for continuing serialization gadget fixing Blacklist for more serialization gadgets (dbcp/tomcat, spring) Dec 19, 2017
@cowtowncoder cowtowncoder added this to the 2.8.11 milestone Dec 19, 2017
cowtowncoder added a commit that referenced this issue Dec 19, 2017
@cowtowncoder
Fix minor regression wrt patch for #1855
9787983
cowtowncoder added a commit that referenced this issue Dec 19, 2017
@cowtowncoder
Fix issues with earlier fix for #1855
bb45fb1
@cowtowncoder
Copy link
Member Author

I think this covers to-be-released CVE-2017-17485.

@cowtowncoder cowtowncoder mentioned this issue Dec 20, 2017
Closed
@adioss
Copy link

adioss commented Jan 11, 2018
edited

Hello,
Could you provide a list of affected version? In the CVE declaration https://nvd.nist.gov/vuln/detail/CVE-2017-17485, the "Vulnerable software and versions" part is omitted so it's not clear (I don't know if it's normal?). All versions before 2.8.10 and/or before 2.9.1?
Thanks a lot!

@bekwam
Copy link

bekwam commented Jan 12, 2018

The NIST page now lists "through 2.9.3" which is the latest version in Maven.

@cowtowncoder
Copy link
Member Author

cowtowncoder commented Jan 12, 2018
edited

Fix is in 2.8.11 (already out) and will be in 2.9.4 due to be released soon, during January (blocked by unrelated changes we want to get in).

@bekwam One complication here is that we keep 2 or 3 open branches, typically, so ordering is not linear across patches from different minor version branches. Hence 2.8.11 has some later fixes than 2.9.3.

@cowtowncoder cowtowncoder mentioned this issue Jan 22, 2018
Closed
@cowtowncoder
Copy link
Member Author

Apparently this is related to CVE-2017-17485, will resolve it.

@cowtowncoder cowtowncoder changed the title Blacklist for more serialization gadgets (dbcp/tomcat, spring) Blacklist for more serialization gadgets (dbcp/tomcat, spring) [CVE-2017-17485] Jan 22, 2018
@yousifS
Copy link

yousifS commented Feb 5, 2018
edited

Does 2.7.9.2 also fix this issue? If so https://nvd.nist.gov/vuln/detail/CVE-2017-17485 still flags that version as affected.

@cowtowncoder
Copy link
Member Author

@yousifS I don't know. Probably not -- time to get out of 2.7 branch as it is not open any more.

@jeremylong jeremylong mentioned this issue Feb 7, 2018
Closed
@alex-dr alex-dr mentioned this issue Feb 9, 2018
Closed
@cowtowncoder
Copy link
Member Author

@yousifS Actually looking at this again... fix is indeed included in 2.7.9.2, which was released 20-Dec-2017. This as per release notes.

@yousifS
Copy link

yousifS commented Feb 12, 2018

@cowtowncoder I thought so, but did not want to assume. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17485, is still incorrect then. Thanks again for looking into it.

@cowtowncoder
Copy link
Member Author

@yousifS FWIW, there is also now 2.7.9.3. Released because of one NPE related to blacklist checking, included in 2.7.9.2.

@guyboertje guyboertje mentioned this issue Feb 16, 2018
Merged
@ajinabraham ajinabraham mentioned this issue Feb 20, 2018
Closed
@cowtowncoder
Copy link
Member Author

For further info: https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

This was referenced Aug 14, 2019
Closed
Closed
Closed
Closed
Closed
Closed
Closed
This was referenced Aug 22, 2019
Closed
Closed
Closed
Closed
This was referenced Aug 29, 2019
Closed
Open
@cowtowncoder cowtowncoder changed the title Blacklist for more serialization gadgets (dbcp/tomcat, spring) [CVE-2017-17485] Block more serialization gadgets (dbcp/tomcat, spring / CVE-2017-17485] Sep 12, 2019
@cowtowncoder cowtowncoder changed the title Block more serialization gadgets (dbcp/tomcat, spring / CVE-2017-17485] Block more serialization gadgets (dbcp/tomcat, spring / CVE-2017-17485) Apr 26, 2020
@cowtowncoder cowtowncoder mentioned this issue Apr 26, 2020
Closed
Merged
4 tasks
@lowchinwei lowchinwei mentioned this issue Jun 14, 2021
Merged
This was referenced May 10, 2022
Open
Open
@scott-cx scott-cx mentioned this issue Aug 1, 2022
Open
@cxronen cxronen mentioned this issue Sep 20, 2022
Open
@margaritalm margaritalm mentioned this issue Dec 25, 2022
Open
This was referenced Feb 15, 2023
Open
Open
This was referenced Apr 28, 2023
Open
Open
@cxronen cxronen mentioned this issue May 25, 2023
Open
@cowtowncoder cowtowncoder mentioned this issue Apr 23, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CVE Issues related to public CVEs (security vuln reports)
Projects
None yet
Milestone
2.8.11
Development

No branches or pull requests
5 participants
@cowtowncoder @adioss @yousifS @bekwam @bobby-lin