Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Block two more gadget types (commons-configuration/-2) #2462

Closed
ybhou1993 opened this issue Sep 19, 2019 · 9 comments
Closed

Block two more gadget types (commons-configuration/-2) #2462

ybhou1993 opened this issue Sep 19, 2019 · 9 comments
Milestone
2.9.10

Comments

@ybhou1993
Copy link

ybhou1993 commented Sep 19, 2019
edited by cowtowncoder

Another gadget (*) type report regarding a class of commons-configuration (and later commons-configuration2) package(s)

Mitre id: not yet allocated
Reporter: @ybhou1993

Fixed in:

  • 2.9.10 and later
  • 2.8.11.5
  • 2.6.7.3
  • does not affect 2.10.0 and later

(*) See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for more on general problem type
@cowtowncoder

This comment has been minimized.

Sign in to view
@cowtowncoder cowtowncoder added need-test-case To work on issue, a reproduction (ideally unit test) needed 2.10 labels Sep 19, 2019
@melloware
Copy link

melloware commented Sep 20, 2019
edited

Since you mentioned commons config 1.9 you might also want to block commons-configuration2 which is a different class.

org.apache.commons.configuration2.JNDIConfiguration

@ybhou1993

This comment has been minimized.

Sign in to view
@cowtowncoder
Copy link
Member

I'd prefer a proof-of-concept showing how these could be used: I agree there is potential, but something to indicate actual mechanism (but if so, send email via fasterxml.com).

@ybhou1993
Copy link
Author

I'd prefer a proof-of-concept showing how these could be used: I agree there is potential, but something to indicate actual mechanism (but if so, send email via fasterxml.com).

I agree what you said. Besides, I wonder to know if 2.9.10 version would be released in mid-October or later?

@ybhou1993
Copy link
Author

I'd prefer a proof-of-concept showing how these could be used: I agree there is potential, but something to indicate actual mechanism (but if so, send email via fasterxml.com).

I have send a email to info@fasterxml.com. The article is written in Chinese, published in a china security community

@cowtowncoder
Copy link
Member

I hope 2.9.10 can released early in October, in first part. I just want to wait for 2.10.0 to get out first.
Thank you for sending more details, that should be helpful.

@cowtowncoder cowtowncoder removed the need-test-case To work on issue, a reproduction (ideally unit test) needed label Sep 20, 2019
cowtowncoder added a commit that referenced this issue Sep 20, 2019
@cowtowncoder
Actual #2462 fix (prev commit only updates release notes)
41b7f9b
cowtowncoder added a commit that referenced this issue Sep 20, 2019
@cowtowncoder
Merge branch '2.8' into 2.9 (fix #2462)
819cdbc
@cowtowncoder cowtowncoder modified the milestones: 2.9,0.pr4, 2.9.10 Sep 20, 2019
@cowtowncoder
Copy link
Member

cowtowncoder commented Sep 20, 2019
edited

Ok, so, commons-configuration (and -2) seem plausible via setProperty() (as per article) so I added blocks.
This issue shall remain for those ones.

I filed Xalan part under #2469

@cowtowncoder cowtowncoder changed the title new gadgets which can cause RCE Block two more gadget type (commons-configuration/-2) Sep 20, 2019
@cowtowncoder cowtowncoder mentioned this issue Sep 20, 2019
Closed
@cowtowncoder cowtowncoder changed the title Block two more gadget type (commons-configuration/-2) Block two more gadget types (commons-configuration/-2) Sep 27, 2019
@cowtowncoder
Copy link
Member

2.9.10 not released, contains blocks. 2.10.0 released, does contain block, but not considered vulnerable since "enableDefaultTyping()" deprecated, safe "activateDefaultTyping()" added.

martokarski pushed a commit to atlassian/jackson-1 that referenced this issue May 8, 2020
Block two more gadget types (commons-configuration/-2)
98c42f7 
Merged from FasterXML/jackson-databind#2462
@mend-for-github-com mend-for-github-com bot mentioned this issue May 27, 2020
Open
This was referenced May 28, 2020
Closed
Open
Closed
Open
Closed
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Jun 9, 2020
Closed
This was referenced Jan 25, 2022
Closed
Open
This was referenced Jan 30, 2022
Open
Open
This was referenced Feb 4, 2022
Closed
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Mar 1, 2022
Open
@mend-for-github-com mend-for-github-com bot mentioned this issue Mar 1, 2022
Closed
This was referenced Mar 11, 2022
Closed
Closed
This was referenced Mar 12, 2022
Closed
Closed
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Mar 14, 2022
Open
This was referenced Mar 14, 2022
Closed
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Mar 22, 2022
Open
This was referenced Mar 31, 2022
Closed
Open
This was referenced May 10, 2022
Open
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue May 31, 2022
Closed
@scott-cx scott-cx mentioned this issue Aug 1, 2022
Open
@cxronen cxronen mentioned this issue Sep 20, 2022
Open
@margaritalm margaritalm mentioned this issue Dec 25, 2022
Open
@cxronen cxronen mentioned this issue Apr 13, 2023
Closed
This was referenced Apr 28, 2023
Open
Open
@cxronen cxronen mentioned this issue May 25, 2023
Open
@cxronen cxronen mentioned this issue Jul 19, 2023
Open
@joshn-whitesource-app joshn-whitesource-app bot mentioned this issue Dec 27, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.9.10
Development

No branches or pull requests
3 participants
@cowtowncoder @melloware @ybhou1993