New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Block more JDK types from polymorphic deserialization (CVE 2017-15095) #1737

Closed
cowtowncoder opened this Issue Aug 17, 2017 · 7 comments

Comments

Projects
None yet
3 participants
@cowtowncoder
Member

cowtowncoder commented Aug 17, 2017

(note: follow-up for #1599)

After initial set of types blocked new reports have arrived for more black-listing.
Although eventual approach is likely to rely separate module (for more timely updates and wider version coverage), at this point addition in databind is needed.

I will update specific list of additions once complete and release is out. Target versions are 2.8.10 and 2.9.1 -- it is possible to backport in 2.7 and even 2.6, but there is diminishing return on effort with those versions so it will not happen unless specifically requested (I'm happy to merge PRs).

@tolbertam

This comment has been minimized.

Show comment
Hide comment
@tolbertam

tolbertam Dec 12, 2017

Contributor

Target versions are 2.8.10 and 2.9.1 -- it is possible to backport in 2.7 and even 2.6

It would be really nice to have this for 2.7 as well since 2.8 requires JDK 7 and a library I maintain which depends on jackson-databind supports JDK 6 (for a little while longer). I created #1857 to apply ddfddfb on 2.7, it would be really great if that could be included in a future 2.7 release, thanks!

Contributor

tolbertam commented Dec 12, 2017

Target versions are 2.8.10 and 2.9.1 -- it is possible to backport in 2.7 and even 2.6

It would be really nice to have this for 2.7 as well since 2.8 requires JDK 7 and a library I maintain which depends on jackson-databind supports JDK 6 (for a little while longer). I created #1857 to apply ddfddfb on 2.7, it would be really great if that could be included in a future 2.7 release, thanks!

cowtowncoder added a commit that referenced this issue Dec 12, 2017

@cowtowncoder

This comment has been minimized.

Show comment
Hide comment
@cowtowncoder

cowtowncoder Dec 12, 2017

Member

@tolbertam Thanks. I'll keep this in mind -- there are occasionally other updates in this area. There is some cost or us to maintain older versions, but 2.7 is probably ok for simple blacklist additions.
Thank you for your help with backport.

Member

cowtowncoder commented Dec 12, 2017

@tolbertam Thanks. I'll keep this in mind -- there are occasionally other updates in this area. There is some cost or us to maintain older versions, but 2.7 is probably ok for simple blacklist additions.
Thank you for your help with backport.

@cowtowncoder cowtowncoder added the CVE label Dec 21, 2017

@cowtowncoder cowtowncoder changed the title from Block more JDK types from polymorphic deserialization to Block more JDK types from polymorphic deserialization (CVE 2017-15095) Dec 21, 2017

@poverma

This comment has been minimized.

Show comment
Hide comment
@poverma

poverma Jan 31, 2018

As per conversation it looks that this "CVE 2017-15095" does not fixed in 2.6.7.1 version . As mentioned that it is possible to backport in 2.6 as well, it would be really nice to have this for 2.6.
Actually we are using 2.6.1 version & if we move 2.8.10, 2.9.1 then it gives us lot of dependency change in scala_module_2_11.

poverma commented Jan 31, 2018

As per conversation it looks that this "CVE 2017-15095" does not fixed in 2.6.7.1 version . As mentioned that it is possible to backport in 2.6 as well, it would be really nice to have this for 2.6.
Actually we are using 2.6.1 version & if we move 2.8.10, 2.9.1 then it gives us lot of dependency change in scala_module_2_11.

@cowtowncoder

This comment has been minimized.

Show comment
Hide comment
@cowtowncoder

cowtowncoder Jan 31, 2018

Member

@poverma As a volunteer-based OSS project we do not have resources to maintain large number of backported versions; and since there is no revenue it is even counter-productive to do so. More that they are supported, more users postpone upgrades. So at this point it is unlikely that 2.6 version will get more fixes, at least for polymorphic deserialization problem that only affects certain group of users, and is not a general security issue.

Member

cowtowncoder commented Jan 31, 2018

@poverma As a volunteer-based OSS project we do not have resources to maintain large number of backported versions; and since there is no revenue it is even counter-productive to do so. More that they are supported, more users postpone upgrades. So at this point it is unlikely that 2.6 version will get more fixes, at least for polymorphic deserialization problem that only affects certain group of users, and is not a general security issue.

@poverma

This comment has been minimized.

Show comment
Hide comment
@poverma

poverma Feb 7, 2018

Thanks cowtowncoder. we have tried with jackson-databind 2.9.4 version for that we have to upgrade scala minor version to 11. but there is dependency issue
What we changed:
jackson:[[group: 'com.fasterxml.jackson.core', name:'jackson-core', version:'2.9.4'],
[group:'com.fasterxml.jackson.core', name:'jackson-annotations', version:'2.9.4'],
[group:'com.fasterxml.jackson.jaxrs', name:'jackson-jaxrs-json-provider', version:'2.9.4'],
[group:'com.fasterxml.jackson.jaxrs', name:'jackson-jaxrs-base', version:'2.9.4'],
[group:'com.fasterxml.jackson.core', name:'jackson-databind', version:'2.9.4'],
[group:'com.fasterxml.jackson.module', name:'jackson-module-scala_2.11', version:'2.9.4']],
Error:

  • What went wrong:
    Execution failed for task ':apps:release:dependencies'.

Could not resolve all dependencies for configuration ':apps:release:resolve'.
A conflict was found between the following modules:
- org.scala-lang:scala-reflect:2.11.11
- org.scala-lang:scala-reflect:2.11.7

poverma commented Feb 7, 2018

Thanks cowtowncoder. we have tried with jackson-databind 2.9.4 version for that we have to upgrade scala minor version to 11. but there is dependency issue
What we changed:
jackson:[[group: 'com.fasterxml.jackson.core', name:'jackson-core', version:'2.9.4'],
[group:'com.fasterxml.jackson.core', name:'jackson-annotations', version:'2.9.4'],
[group:'com.fasterxml.jackson.jaxrs', name:'jackson-jaxrs-json-provider', version:'2.9.4'],
[group:'com.fasterxml.jackson.jaxrs', name:'jackson-jaxrs-base', version:'2.9.4'],
[group:'com.fasterxml.jackson.core', name:'jackson-databind', version:'2.9.4'],
[group:'com.fasterxml.jackson.module', name:'jackson-module-scala_2.11', version:'2.9.4']],
Error:

  • What went wrong:
    Execution failed for task ':apps:release:dependencies'.

Could not resolve all dependencies for configuration ':apps:release:resolve'.
A conflict was found between the following modules:
- org.scala-lang:scala-reflect:2.11.11
- org.scala-lang:scala-reflect:2.11.7

@cowtowncoder

This comment has been minimized.

Show comment
Hide comment
@cowtowncoder

cowtowncoder Feb 11, 2018

Member

Problems with Scala version compatibility are unrelated, but you might want to upgrade to 2.8.11 instead, as the first step.

As to conflict itself: that is something your build system (gradle?) would have to help with.

Member

cowtowncoder commented Feb 11, 2018

Problems with Scala version compatibility are unrelated, but you might want to upgrade to 2.8.11 instead, as the first step.

As to conflict itself: that is something your build system (gradle?) would have to help with.

@cowtowncoder

This comment has been minimized.

Show comment
Hide comment

derekstraka added a commit to derekstraka/jackson-databind that referenced this issue Feb 26, 2018

cowtowncoder added a commit that referenced this issue Feb 26, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment