Block one more gadget type (jodd-db, CVE-2018-12022) #2052

cowtowncoder · 2018-05-29T20:03:23Z

There is a potential remote code execution (RCE) vulnerability, if user is

handling untrusted content (where attacker can craft JSON)
using "Default Typing" feature (or equivalent; polymorphic value with base type of java.lang.Object
has jodd-db (https://jodd.org/db/) jar in classpath
allows connections from service to untrusted hosts (where attacker can run an LDAP service)

(note: steps 1 and 2 are common steps as explained in https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)

To solve the issue, one type from Jodd database component is blacklisted to avoid their use as "serialization gadgets".

Original vulnerability discoverer:
吴桂雄 Wuguixiong

Fixed in:

2.9.6 and later
2.8.11.2
2.7.9.4
2.6.7.3

The text was updated successfully, but these errors were encountered:

…gadgets, but they seem suspicious enough to block tentatively

Boaz20 · 2018-06-06T04:59:38Z

@cowtowncoder - what was your finding here is it really an issue and if yes - are you planning to fix it in the upcoming 2.9.6 release?

cowtowncoder · 2018-06-08T05:28:09Z

Fix committed earlier as:

https://github.com/FasterXML/jackson-databind/commit/7487cf7eb14be2f65a1eb108e8629c07ef45e0a1

and is included in versions:

2.7.9.4
2.8.11.2
2.9.6

once released.

Merged from FasterXML/jackson-databind#2052

cowtowncoder added the CVE Issues related to public CVEs (security vuln reports) label May 29, 2018

cowtowncoder added a commit that referenced this issue Jun 1, 2018

Preliminary blocks for #2052: not actually sure if there is vuln via …

7487cf7

…gadgets, but they seem suspicious enough to block tentatively

cowtowncoder added the ACTIVE label Jun 1, 2018

cowtowncoder changed the title ~~CVE (id to be allocated): LDAP-backed data source gadgets~~ CVE-2018-12022: Block polymorphic deserialization of types from Oracle JDBC driver Jun 8, 2018

cowtowncoder closed this as completed Jun 8, 2018

cowtowncoder changed the title ~~CVE-2018-12022: Block polymorphic deserialization of types from Oracle JDBC driver~~ CVE-2018-12022: Block polymorphic deserialization of types from Jodd-db library Jun 8, 2018

cowtowncoder added a commit that referenced this issue Jun 8, 2018

Backport #2052, #2058 fixes for 2.7.9.4

28badf7

cowtowncoder removed the ACTIVE label Jun 12, 2018

test88d mentioned this issue Apr 8, 2019

(bogus report) #2295

Closed

This was referenced Aug 22, 2019

[deleted] Contrast-Security-OSS/ghardy-test#497

Closed

[deleted] Contrast-Security-OSS/ghardy-test#516

Closed

[deleted] Contrast-Security-OSS/ghardy-test#532

Closed

[deleted] Contrast-Security-OSS/ghardy-test#552

Closed

This was referenced Aug 29, 2019

[deleted] Contrast-Security-OSS/ghardy-test#572

Closed

Vulnerabilities found in com.fasterxml.jackson.core:jackson-databind 2.7.1 Contrast-Security-OSS/ghardy-test#592

Open

cowtowncoder changed the title ~~CVE-2018-12022: Block polymorphic deserialization of types from Jodd-db library~~ Block one more gadget type (jodd-db, CVE-2018-12022) Sep 12, 2019

ablekhman added a commit to atlassian/jackson-1 that referenced this issue Oct 23, 2019

Block one more gadget type (jodd-db, CVE-2018-12022)

437750a

Merged from FasterXML/jackson-databind#2052

cowtowncoder mentioned this issue Oct 24, 2019

DeserializationContext.handleMissingInstantiator() throws MismatchedInputException for non-static inner classes #2522

Closed

cowtowncoder added this to the 2.9.6 milestone Dec 2, 2020

This was referenced May 10, 2022

CVE-2018-12022 - high detected in com.fasterxml.jackson.core:jackson-databind rhicksiii91/java-goof-test#86

Open

CVE-2018-12022 - high detected in com.fasterxml.jackson.core:jackson-databind rhicksiii91/java-goof-test#183

Open

scott-cx mentioned this issue Aug 1, 2022

CVE-2018-12022 @ Maven-com.fasterxml.jackson.core:jackson-databind-2.6.7.1 scott-cx/edgemere#96

Open

cxronen mentioned this issue Sep 20, 2022

CVE-2018-12022 @ Maven-com.fasterxml.jackson.core:jackson-databind-2.0.4 cxronen/BookStore_VSCode#49

Open

margaritalm mentioned this issue Dec 25, 2022

CVE-2018-12022 @ Maven-com.fasterxml.jackson.core:jackson-databind-2.8.9 margaritalm/BookStore_Small_CLI_small#46

Open

This was referenced Feb 15, 2023

CVE-2018-12022 @ Maven-com.fasterxml.jackson.core:jackson-databind-2.0.4 cxronen/BookStore_VSCode#352

Open

CVE-2018-12022 @ Maven-com.fasterxml.jackson.core:jackson-databind-2.0.4 cxronen/BookStore_VSCode#576

Open

This was referenced Apr 28, 2023

Findings for High davisbarillas/shiftleft-java-demo2#55

Open

Findings for High davisbarillas/JavaVulnerableLab#12

Open

cxronen mentioned this issue May 25, 2023

CVE-2018-12022 @ Maven-com.fasterxml.jackson.core:jackson-databind-2.0.4 cxronen/BookStore_VSCode#801

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Block one more gadget type (jodd-db, CVE-2018-12022) #2052

Block one more gadget type (jodd-db, CVE-2018-12022) #2052

cowtowncoder commented May 29, 2018 •

edited

Boaz20 commented Jun 6, 2018

cowtowncoder commented Jun 8, 2018 •

edited

Block one more gadget type (jodd-db, CVE-2018-12022) #2052

Block one more gadget type (jodd-db, CVE-2018-12022) #2052

Comments

cowtowncoder commented May 29, 2018 • edited

Boaz20 commented Jun 6, 2018

cowtowncoder commented Jun 8, 2018 • edited

cowtowncoder commented May 29, 2018 •

edited

cowtowncoder commented Jun 8, 2018 •

edited