Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Block one more gadget type (apache-log4j-extras/1.2, CVE-2019-17531) #2498

Closed
cowtowncoder opened this issue Oct 12, 2019 · 1 comment
Closed

Block one more gadget type (apache-log4j-extras/1.2, CVE-2019-17531) #2498

cowtowncoder opened this issue Oct 12, 2019 · 1 comment
Labels
CVE Issues related to public CVEs (security vuln reports)
Milestone
2.9.10.1

Comments

@cowtowncoder
Copy link
Member

cowtowncoder commented Oct 12, 2019
edited

Another gadget type reported regarding a class of apache-log4j-extras package.
See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.

Mitre id: CVE-2019-17531
Reporter: 张先辉 Zhangxianhui

Fix will be included in:

  • 2.9.10.1
  • 2.8.11.5
  • 2.6.7.3
  • does not affect 2.10.0 and later
@cowtowncoder cowtowncoder added 2.9 CVE Issues related to public CVEs (security vuln reports) labels Oct 12, 2019
@cowtowncoder cowtowncoder added this to the 2.9.10.1 milestone Oct 12, 2019
@cowtowncoder
Copy link
Member Author

Fixed: off to file for CVE ID.

Also need to consider timing of 2.9.10 now; we have two separate issues.

@cowtowncoder cowtowncoder changed the title Block one more gadget type (apache-log4j-extras/1.2, CVE to be allocated) Block one more gadget type (apache-log4j-extras/1.2, CVE-2019-17531) Oct 12, 2019
@adriangonz adriangonz mentioned this issue Oct 22, 2019
Closed
ablekhman added a commit to atlassian/jackson-1 that referenced this issue Oct 23, 2019
@ablekhman
Block one more gadget type (apache-log4j-extras/1.2, CVE-2019-17531)
d674dd9 
Merged from FasterXML/jackson-databind#2498
julianladisch added a commit to folio-org/raml-module-builder that referenced this issue Nov 5, 2019
@julianladisch
RMB-504: Jackson-* version 2.10.0, fixes jackson-databind vulnerabili…
82699c1 
…ties.

Three serialization gadget (= polymorphic typing) security vulnerability issues have been reported against jackson-databind versions before 2.9.10.1:

jackson-databind 2.9.10.1 (released 2019-10-20) fixes
* commons-dbcp, p6spy ([CVE-2019-16942|https://nvd.nist.gov/vuln/detail/CVE-2019-16942] / [CVE-2019-16943|https://nvd.nist.gov/vuln/detail/CVE-2019-16943] = [jackson-databind #2478|FasterXML/jackson-databind#2478])
* log4j-extras/1.2 ([CVE-2019-17531|https://nvd.nist.gov/vuln/detail/CVE-2019-17531] = [jackson-databind #2498|FasterXML/jackson-databind#2498])

jackson-databind [2.9.10.2|https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9#micro-patches] (not yet released) fixes
* ehcache/JNDI (CVEs to be allocated = [jackson-databind #2526|FasterXML/jackson-databind#2526])

See also
* [On Jackson CVEs: Don't Panic — Here is what you need to know|https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062]
* [Jackson 2.10 features (esp "Safe Default Typing" to vanquish stream of CVE patches!)|https://medium.com/@cowtowncoder/jackson-2-10-features-cd880674d8a2]
@julianladisch julianladisch mentioned this issue Nov 5, 2019
Merged
@cowtowncoder cowtowncoder mentioned this issue Nov 25, 2019
Closed
@padma81 padma81 mentioned this issue Jul 28, 2020
Closed
@sijie sijie mentioned this issue Jul 28, 2020
Open
This was referenced May 10, 2022
Open
Open
@scott-cx scott-cx mentioned this issue Aug 1, 2022
Open
@cxronen cxronen mentioned this issue Sep 20, 2022
Open
@margaritalm margaritalm mentioned this issue Dec 25, 2022
Open
@cxronen cxronen mentioned this issue Apr 13, 2023
Closed
This was referenced Apr 28, 2023
Open
Open
@cxronen cxronen mentioned this issue May 25, 2023
Open
@cxronen cxronen mentioned this issue May 25, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CVE Issues related to public CVEs (security vuln reports)
Projects
None yet
Milestone
2.9.10.1
Development

No branches or pull requests
1 participant
@cowtowncoder