Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Block more JDK types from polymorphic deserialization (CVE 2017-15095) #1737

Closed
cowtowncoder opened this issue Aug 17, 2017 · 7 comments

Comments

Projects
None yet
3 participants
@cowtowncoder
Copy link
Member

commented Aug 17, 2017

(note: follow-up for #1599)

After initial set of types blocked new reports have arrived for more black-listing.
Although eventual approach is likely to rely separate module (for more timely updates and wider version coverage), at this point addition in databind is needed.

I will update specific list of additions once complete and release is out. Target versions are 2.8.10 and 2.9.1 -- it is possible to backport in 2.7 and even 2.6, but there is diminishing return on effort with those versions so it will not happen unless specifically requested (I'm happy to merge PRs).

@tolbertam

This comment has been minimized.

Copy link
Contributor

commented Dec 12, 2017

Target versions are 2.8.10 and 2.9.1 -- it is possible to backport in 2.7 and even 2.6

It would be really nice to have this for 2.7 as well since 2.8 requires JDK 7 and a library I maintain which depends on jackson-databind supports JDK 6 (for a little while longer). I created #1857 to apply ddfddfb on 2.7, it would be really great if that could be included in a future 2.7 release, thanks!

cowtowncoder added a commit that referenced this issue Dec 12, 2017

@cowtowncoder

This comment has been minimized.

Copy link
Member Author

commented Dec 12, 2017

@tolbertam Thanks. I'll keep this in mind -- there are occasionally other updates in this area. There is some cost or us to maintain older versions, but 2.7 is probably ok for simple blacklist additions.
Thank you for your help with backport.

@cowtowncoder cowtowncoder added the CVE label Dec 21, 2017

@cowtowncoder cowtowncoder changed the title Block more JDK types from polymorphic deserialization Block more JDK types from polymorphic deserialization (CVE 2017-15095) Dec 21, 2017

@poverma

This comment has been minimized.

Copy link

commented Jan 31, 2018

As per conversation it looks that this "CVE 2017-15095" does not fixed in 2.6.7.1 version . As mentioned that it is possible to backport in 2.6 as well, it would be really nice to have this for 2.6.
Actually we are using 2.6.1 version & if we move 2.8.10, 2.9.1 then it gives us lot of dependency change in scala_module_2_11.

@cowtowncoder

This comment has been minimized.

Copy link
Member Author

commented Jan 31, 2018

@poverma As a volunteer-based OSS project we do not have resources to maintain large number of backported versions; and since there is no revenue it is even counter-productive to do so. More that they are supported, more users postpone upgrades. So at this point it is unlikely that 2.6 version will get more fixes, at least for polymorphic deserialization problem that only affects certain group of users, and is not a general security issue.

@poverma

This comment has been minimized.

Copy link

commented Feb 7, 2018

Thanks cowtowncoder. we have tried with jackson-databind 2.9.4 version for that we have to upgrade scala minor version to 11. but there is dependency issue
What we changed:
jackson:[[group: 'com.fasterxml.jackson.core', name:'jackson-core', version:'2.9.4'],
[group:'com.fasterxml.jackson.core', name:'jackson-annotations', version:'2.9.4'],
[group:'com.fasterxml.jackson.jaxrs', name:'jackson-jaxrs-json-provider', version:'2.9.4'],
[group:'com.fasterxml.jackson.jaxrs', name:'jackson-jaxrs-base', version:'2.9.4'],
[group:'com.fasterxml.jackson.core', name:'jackson-databind', version:'2.9.4'],
[group:'com.fasterxml.jackson.module', name:'jackson-module-scala_2.11', version:'2.9.4']],
Error:

  • What went wrong:
    Execution failed for task ':apps:release:dependencies'.

Could not resolve all dependencies for configuration ':apps:release:resolve'.
A conflict was found between the following modules:
- org.scala-lang:scala-reflect:2.11.11
- org.scala-lang:scala-reflect:2.11.7

@cowtowncoder

This comment has been minimized.

Copy link
Member Author

commented Feb 11, 2018

Problems with Scala version compatibility are unrelated, but you might want to upgrade to 2.8.11 instead, as the first step.

As to conflict itself: that is something your build system (gradle?) would have to help with.

@cowtowncoder

This comment has been minimized.

This was referenced Jun 25, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.