Block one more gadget type (shaded-hikari-config, CVE-2020-9546)

[cowtowncoder]

(note: placeholder until verified/validated, fix provided)

Another gadget type reported regarding a class of [TO BE ADDED].
See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.

Mitre id: CVE-2020-9546
Reporters: threedr3am & LFY

Fix will be included in:

• 2.9.10.4
• 2.8.11.6 (jackson-bom version 2.8.11.20200310)
• 2.7.9.7
• Does not affect 2.10.0 and later

[carnil]

CVE-2020-9546 seem to have been assigned.

[cowtowncoder]

@carnil thank you: yes, I did get a response that this is the cve id allocated.

[romansok]

(note: placeholder until verified/validated, fix provided)

Another gadget type reported regarding a class of [TO BE ADDED].
See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.

Mitre id: CVE-2020-9546
Reporters: threedr3am & LFY

Fix will be included in:

• 2.9.10.4
• Does not affect 2.10.0 and later

Hi @cowtowncoder ,

I am using jackson-databind 2.10 and I noticed that the fix was included in version 2.10.3,
but according to this report, 2.10.0 and later are not affected.

Can you please advise if any of 2.10.x are vulnerable following this issue?

[cowtowncoder]

@romansok 2.10.x (and later versions)) is not affected by this CVE, exactly as description says.

For convenience, block-list is still included (otherwise merging from earlier versions would always need manual resolution) and hence merged. Same is true all the way to master branch (3.0)

[gonfva-bcl]

Hi,
Apparently this is closed in 2.9.10.4 but I don't think that version has been released.
https://search.maven.org/artifact/com.fasterxml.jackson.core/jackson-databind
Should I open a different issue?
Thanks

[cowtowncoder]

@gonfva-bcl Open different issue for what? No need wrt making 2.9.10.4 release -- it is delayed partly because there has been recent flood of submissions, not because release is forgotten. There are for now 7 additions, this included. 2 are work in progress wrt cve id.

I also try to focus hard on getting 2.11.0.rc1 out ASAP since there is not much value in updating block lists like here -- researchers will find more, from all tens of thousands of OSS libraries, with diminishing return (since actual vulnerabilities only affect small subset of users, both wrt default typing being minority option and existence of specific jar in classpath).

I was hoping to get 2.9.10.4 released over the weekend but that did not happen. Next ETA would be next weekend, i.e in 5 days.

[lobozhu]

@cowtowncoder
Would you please tell us when will the 2.9.10.4 be released?
We have to upgrade jackson-databind to this version. Thank you very much.

[cowtowncoder]

@lobozhu yes, I will do that when I have time to release it. At this point, it won't be until next weekend, likely, since there is one more open report to handle.