Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2018-12023: Block polymorphic deserialization of types from Oracle JDBC driver #2058

Closed
cowtowncoder opened this issue Jun 8, 2018 · 1 comment

Comments

Projects
None yet
1 participant
@cowtowncoder
Copy link
Member

commented Jun 8, 2018

There is a potential remote code execution (RCE) vulnerability, if user is

  1. handling untrusted content (where attacker can craft JSON)
  2. using "Default Typing" feature (or equivalent; polymorphic value with base type of java.lang.Object
  3. has oracle JDBC driver jar in classpath
  4. allows connections from service to untrusted hosts (where attacker can run an LDAP service)

(note: steps 1 and 2 are common steps as explained in https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)

To solve the issue, 2 types from JDBC driver are blacklisted to avoid their use as "serialization gadgets".

Original vulnerability discoverer:
吴桂雄 Wuguixiong

cowtowncoder added a commit that referenced this issue Jun 8, 2018

@cowtowncoder

This comment has been minimized.

Copy link
Member Author

commented Jun 8, 2018

Fix committed earlier as:

7487cf7

and is included in versions:

  • 2.7.9.4
  • 2.8.11.2
  • 2.9.6

once released.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.