Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jackson Deserializer security vulnerability via default typing (CVE-2017-7525) #1599

Closed
ayound opened this issue Apr 11, 2017 · 57 comments
Closed
Labels
CVE
Milestone

Comments

@ayound
Copy link

@ayound ayound commented Apr 11, 2017

I have send email to info@fasterxml.com

@ayound ayound closed this Apr 11, 2017
@ayound ayound reopened this Apr 11, 2017
@ayound ayound changed the title Jackson Deserializer vulnerability, can execute any code or command Jackson Deserializer security vulnerability Apr 11, 2017
@cowtowncoder
Copy link
Member

@cowtowncoder cowtowncoder commented Apr 13, 2017

I have received this and am investigating possible patch. Problem is quite specific, but some aspects are more general.

cowtowncoder added a commit that referenced this issue Apr 13, 2017
Merge branch '2.7' into 2.8
@cowtowncoder cowtowncoder added this to the 2.8.9 milestone Apr 13, 2017
@cowtowncoder
Copy link
Member

@cowtowncoder cowtowncoder commented Apr 13, 2017

Fixed in 2.7, 2.8 and master (to the best of my knowledge): will be in 2.8.9 and 2.7.9.1, as well as 2.9.0.pr3.

@Viyond
Copy link

@Viyond Viyond commented Apr 17, 2017

nice~

@ayound
Copy link
Author

@ayound ayound commented Apr 17, 2017

when do you want to release 2.7.10,2.8.9 and 2.9.0.pr3?

1 similar comment
@JoyChou93
Copy link

@JoyChou93 JoyChou93 commented Apr 17, 2017

when do you want to release 2.7.10,2.8.9 and 2.9.0.pr3?

@OneSourceCat
Copy link

@OneSourceCat OneSourceCat commented Apr 17, 2017

I don't think blacklist is a good mechanism to prevent this issue, because there are other Java Deserialized Gadgets or ClassLoaders can arise this problem including com.sun.org.apache.xalan which is in your list.

@ayound
Copy link
Author

@ayound ayound commented Apr 17, 2017

I suggest you to use black list like this

"^bsh[.].", "^com[.]google[.]inject[.].", "^com[.]mchange[.]v2[.]c3p0[.].", "^com[.]sun[.]jndi[.].", "^com[.]sun[.]corba[.].", "^com[.]sun[.]javafx[.].", "^com[.]sun[.]org[.]apache[.]regex[.]internal[.].", "^java[.]awt[.].", "^java[.]rmi[.].", "^javax[.]management[.].", "^javax[.]naming[.].", "^javax[.]script[.].", "^javax[.]swing[.].", "^org[.]apache[.]commons[.]beanutils[.].", "^org[.]apache[.]commons[.]collections[.]functors[.].", "^org[.]apache[.]myfaces[.].", "^org[.]apache[.]wicket[.].", ".org[.]apache[.]xalan.", "^org[.]codehaus[.]groovy[.]runtime[.].", "^org[.]hibernate[.].", "^org[.]python[.].", "^org[.]springframework..", "^sun[.]rmi[.].", "^javax[.]imageio[.].*", "^java[.]util[.]ServiceLoader$", "^java[.]net[.]URLClassLoader$”

@channingwen
Copy link

@channingwen channingwen commented Apr 17, 2017

hello, everybody, I wait for new version, where can I get the version release 2.7.10,2.8.9 and 2.9.0.pr3?

@maluguos
Copy link

@maluguos maluguos commented Apr 17, 2017

@cowtowncoder
When 2.8.9 will be released? I can't find it in mvn repo or git release...

@taisenki
Copy link

@taisenki taisenki commented Apr 18, 2017

When 2.8.9 will be released? I wait for new version...

@cowtowncoder
Copy link
Member

@cowtowncoder cowtowncoder commented Apr 18, 2017

@maluguos I do not release new version for every single bug fix. Have a look at release schedule:

https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.7

New version is unlikely to be released within next couple of weeks. Same goes for 2.8.9.
If a new version is needed sooner, you will need to use a local snapshot build.

@kuaike
Copy link

@kuaike kuaike commented Apr 18, 2017

waiting for version 2.8.9 release...

@cowtowncoder
Copy link
Member

@cowtowncoder cowtowncoder commented Apr 18, 2017

@ayound I appreciate the list, but to be honest I think that restriction within core databind need to be focused on demonstratable security concerns. There are many types that could potentially be problematic, but I would hesitate to include very wide limits on, say, org. springframework, since there are utility types that may well be already in use by some users.
For 2.8 I did include a few types as per:

https://github.com/kantega/notsoserial

so I am not against extending the list, but at this point prefer keeping static blacklist to minimum.

@cowtowncoder
Copy link
Member

@cowtowncoder cowtowncoder commented Apr 18, 2017

Everyone: I did do mvn deploy for 2.8 branches, so snapshots via Sonatype snapshot repository (for 2.8.9-SNAPSHOT) should have initial protection for vulnerabilities indicated.

Perhaps more importantly, I just pushed micro-patch 2.7.9.1 of jackson-databind: it should be available soon via Maven Central. I decided to do this because it is not clear whether there will be more 2.7 full releases (and if so, when), and due to criticality of this fix it seemed better to release micro-patch at this point.

As to 2.8: set of fixes is rather short, still:

https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.8.9

so I'll think of whether I should similarly release 2.8.8.1 as full release may take time (although there will certainly still be 2.8.9 as 2.9 is not yet released).

If anyone feels urgency wrt 2.8 please let me know.

@logan2013
Copy link

@logan2013 logan2013 commented Apr 18, 2017

Everyone: Any impact on version 2.1.0?

thank you in advanced

@cowtowncoder
Copy link
Member

@cowtowncoder cowtowncoder commented Apr 18, 2017

@logan2013 Yes, if (and only if):

  1. Object model is using either "default typing", or @JsonTypeInfo with nominal base type of java.lang.Object (or one of small number of tag-on "tag" types like java.io.Serializable and perhaps java.util.Comparable)
  2. JSON content comes from untrusted source, that is, someone can craft specific JSON message.

If so, there is at least one reproduction of an issue.

Now: as to versions prior to 2.7: I have a plan to implement a new Jackson module which can be used with ALL 2.x versions, including 2.1.0. This may take bit more time, but would be more useful than handling within jackson-databind.

I hope this helps.

@alexchenfeiyu
Copy link

@alexchenfeiyu alexchenfeiyu commented Apr 19, 2017

@cowtowncoder Hello, our product used 2.8.1, we need to solve the problem urgently.How can we do? We hope your help!
Thank you in advance

@ycrxun
Copy link

@ycrxun ycrxun commented Apr 19, 2017

Everyone: Any impact on version 1.x?
thank you in advanced

@paulwong888
Copy link

@paulwong888 paulwong888 commented Apr 19, 2017

@cowtowncoder any impact on jackson 2.7.5 + JDK 1.7 and above?

@cowtowncoder
Copy link
Member

@cowtowncoder cowtowncoder commented Apr 19, 2017

@alexchenfeiyu Do you know the vulnerability and that it affects you? I appreciate your general concern, but the vulnerability is quite specific and does not apply to majority of users.
Anyway: I will go ahead now and release 2.8.8.1: it will be available within couple of hours.

@ycrxun In theory yes, versions 1.5 and above.

@paulwong888 As per above, not very specific to Jackson version: but you may want to use jackson-databind 2.7.9.1 since it's the first one to have the fix.
However: it is possible JDK version matters; might not work on later JDK versions -- but I don't have specific knowledge that it would be prevent by particular version. Using latest JDK from given line could be safer (depends on embedded version of XSL engine JDK bundles).

As to vulnerability, this only applies to polymorphic type handling via default typing (or especially annotated @JsonTypeInfo on java.lang.Object type property) -- and obviously JSON crafted by untrusted third party.

@shellb0y
Copy link

@shellb0y shellb0y commented Apr 20, 2017

@cowtowncoder I did not find the 2.8.8.1 url ,please provide this url, thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

You can’t perform that action at this time.