Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Block two more gadget types (commons-dbcp, p6spy, CVE-2019-16942 / CVE-2019-16943) #2478

Closed
bsmali4 opened this issue Sep 27, 2019 · 14 comments
Closed

Block two more gadget types (commons-dbcp, p6spy, CVE-2019-16942 / CVE-2019-16943) #2478

bsmali4 opened this issue Sep 27, 2019 · 14 comments
Labels
CVE Issues related to public CVEs (security vuln reports)
Milestone
2.9.10.1

Comments

@bsmali4
Copy link

bsmali4 commented Sep 27, 2019
edited by cowtowncoder

Another 2 gadget (*) types reported regarding classes of commons-dbcp and p6spy packages.
See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.

Mitre id: CVE-2019-16942 (commons-dbcp)
Mitre id: CVE-2019-16943 (p6spy)
Reporter: b5mali4

Fixed in:

  • 2.9.10.1 (use jackson-bom version 2.9.10.20191020)
  • 2.6.7.3
  • 2.8.11.5
  • does not affect 2.10.0 and later
@cowtowncoder
Copy link
Member

Email received (read that before seeing this issue).
Will change descriptions slightly.

@cowtowncoder cowtowncoder changed the title Block two new serialization gadgets Block two more gadget types (commons,dbcp, p6spy) Sep 27, 2019
@cowtowncoder cowtowncoder added 2.9 CVE Issues related to public CVEs (security vuln reports) labels Sep 27, 2019
@cowtowncoder cowtowncoder changed the title Block two more gadget types (commons,dbcp, p6spy) Block two more gadget types (commons-dbcp, p6spy) Sep 29, 2019
cowtowncoder added a commit that referenced this issue Sep 29, 2019
@cowtowncoder
manual merge of #2478 fix for 2.9.10.1
bc67eb1
@cowtowncoder cowtowncoder added this to the 2.9.10 milestone Sep 29, 2019
cowtowncoder added a commit that referenced this issue Sep 29, 2019
@cowtowncoder
Complete #2478 fix
328a0f8
cowtowncoder added a commit that referenced this issue Sep 29, 2019
@cowtowncoder
More clean up after #2478
54aa38d
@cowtowncoder cowtowncoder changed the title Block two more gadget types (commons-dbcp, p6spy) Block two more gadget types (commons-dbcp, p6spy, CVE-2019-16942 / CVE-2019-16943) Sep 30, 2019
@melloware
Copy link

@cowtowncoder I think you have the Milstone of 2.9.10 wrong on this ticket as it was fixed after 2.9.10. Wouldn't it be 2.9.10.1 ?

@cowtowncoder
Copy link
Member

@melloware Yes, you are right. Will fix the milestone, for some reason set it incorrectly (possibly due to auto-completion).

@cowtowncoder cowtowncoder modified the milestones: 2.9.10, 2.9.10.1 Oct 7, 2019
marco-schmidt added a commit to marco-schmidt/am that referenced this issue Oct 9, 2019
@marco-schmidt
fix CVE-2019-16942, CVE-2019-16943
0f73a08 
by upgrading dependency jackson-databind/ to 2.10.0: FasterXML/jackson-databind#2478
marco-schmidt added a commit to marco-schmidt/amweb that referenced this issue Oct 9, 2019
@marco-schmidt
fix CVE-2019-16942, CVE-2019-16943
3b0ba36 
by upgrading dependency jackson-databind/ to 2.10.0 FasterXML/jackson-databind#2478
@foxylion
Copy link

@cowtowncoder Is there a planned release date for 2.9.10.1?

@cowtowncoder
Copy link
Member

There is no strict rule; ideally I'd want more than just one fix in a new release, but I understand that for CVEs there is bit more urgency. Since 2.9.10 was released on September 21, I think realistic timeline would be within October. So I am thinking of releasing a micro-patch by end of next week, so around 19th or so.

ryber added a commit to Kong/unirest-java that referenced this issue Oct 12, 2019
@ryber
ignore Jackson CVE until they issue a patch: FasterXML/jackson-databi…
107a059 
…nd#2478
@foxylion
Copy link

Thanks @cowtowncoder. That sounds reasonable.

@msymons
Copy link

msymons commented Oct 14, 2019

@cowtowncoder, will there be an updated jackson-bom to match the micro-patch? ie, similar to 2.9.9.20190807.
@bsmali4, does CVE-2019-16942 occurs when commons-dbcp (1.4) jar is in the classpath. Does the risk not occur with older versions of dbcp? or with dbcp2?

ryber added a commit to Kong/unirest-java that referenced this issue Oct 14, 2019
@ryber
ignore Jackson CVE until they issue a patch: FasterXML/jackson-databi…
e8bd89d 
…nd#2478
@bsmali4
Copy link
Author

bsmali4 commented Oct 15, 2019

@msymons I regret to tell you,the risk occur with older versions of dbcp,dbcp2.

alxgln added a commit to boclips/kaltura-client that referenced this issue Oct 15, 2019
@alxgln @antonyoneill
Suppress CVE on databind
d909d15 
- CVE-2019-16942
- CVE-2019-16943

FasterXML/jackson-databind#2478

Signed-off-by: Antony O'Neill <antony@boclips.com>
@cowtowncoder
Copy link
Member

@msymons yes, I plan to also publish matching jackson-bom.

ablekhman added a commit to atlassian/jackson-1 that referenced this issue Oct 23, 2019
@ablekhman
Block two more gadget types (commons-dbcp, p6spy, CVE-2019-16942 / CV…
6f33ac7 
…E-2019-16943)

Merged from FasterXML/jackson-databind#2478
@mend-for-github-com mend-for-github-com bot mentioned this issue Oct 24, 2019
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Oct 24, 2019
Closed
This was referenced Mar 7, 2020
Open
Open
Open
@mend-for-github-com mend-for-github-com bot mentioned this issue Mar 23, 2020
Open
@mend-for-github-com mend-for-github-com bot mentioned this issue Apr 24, 2020
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue May 1, 2020
Open
@mend-for-github-com mend-for-github-com bot mentioned this issue May 4, 2020
Closed
martokarski pushed a commit to atlassian/jackson-1 that referenced this issue May 8, 2020
Complete databind#2478 fix
2338ddd 
Merged from FasterXML/jackson-databind#2478
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue May 13, 2020
Closed
This was referenced May 13, 2020
Open
Open
@padma81 padma81 mentioned this issue Jul 28, 2020
Closed
@sijie sijie mentioned this issue Jul 28, 2020
Open
This was referenced May 10, 2022
Open
Open
Open
Open
This was referenced Aug 1, 2022
Open
Open
This was referenced Sep 20, 2022
Open
Open
This was referenced Dec 25, 2022
Open
Open
This was referenced Feb 15, 2023
Open
Open
Closed
This was referenced Apr 28, 2023
Open
Open
This was referenced May 25, 2023
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CVE Issues related to public CVEs (security vuln reports)
Projects
None yet
Milestone
2.9.10.1
Development

No branches or pull requests
7 participants
@cowtowncoder @foxylion @melloware @msymons @larrywest @bsmali4 @Nildha