New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Block more classes from polymorphic deserialization (CVE-2018-19360, CVE-2018-19361, CVE-2018-19362) #2186

Closed
cowtowncoder opened this Issue Nov 18, 2018 · 6 comments

Comments

Projects
None yet
3 participants
@cowtowncoder
Copy link
Member

cowtowncoder commented Nov 18, 2018

This issue covers following CVEs related to polymorphic deserialization, gadgets:

CVE-2018-19360 (axis2-transport-jms)
CVE-2018-19361 (openjpa)
CVE-2018-19362 (jboss-common-core)

Original vulnerability discoverer:
吴桂雄 Wuguixiong

@cowtowncoder cowtowncoder changed the title Block more classes from polymorphic deserialization (placeholder) Block more classes from polymorphic deserialization (CVE-2018-19360, CVE-2018-19361, CVE-2018-19362) Nov 20, 2018

@cowtowncoder cowtowncoder added this to the 2.9.8 milestone Nov 20, 2018

@cowtowncoder cowtowncoder added CVE and removed ACTIVE labels Nov 23, 2018

cowtowncoder added a commit that referenced this issue Nov 23, 2018

@cowtowncoder

This comment has been minimized.

Copy link
Member

cowtowncoder commented Nov 23, 2018

Fix released on 23-Nov-2018, in:

  • 2.7.9.5 (micro-patch of jackson-databind)
  • 2.8.11.3 (micro-patch of jackson-databind, plus jackson-bom version 2.8.11.20181123)

and will be included in 2.9.8 as soon as that gets released (full release along with other fixes)

@bbossola

This comment has been minimized.

Copy link

bbossola commented Nov 28, 2018

Will this fix be included in 2.6.7.3, like #2097 was for 2.6.7.2?

mibo added a commit to mibo/jackson-databind that referenced this issue Nov 28, 2018

@cowtowncoder

This comment has been minimized.

Copy link
Member

cowtowncoder commented Nov 29, 2018

@bbossola I don't think I will release any more 2.6.7.x micro-patches at this point, so no.

@sudhi-git

This comment has been minimized.

Copy link

sudhi-git commented Dec 14, 2018

Has the 2.9.8 version been released with the fixes?

@cowtowncoder

This comment has been minimized.

Copy link
Member

cowtowncoder commented Dec 14, 2018

Not yet. Should be released within next week or two, definitely before end of 2018.

@cowtowncoder

This comment has been minimized.

Copy link
Member

cowtowncoder commented Dec 16, 2018

@TheSnoozer TheSnoozer referenced this issue Jan 5, 2019

Closed

Release 2.2.6 #406

9 of 9 tasks complete

TheSnoozer added a commit to TheSnoozer/maven-git-commit-id-plugin that referenced this issue Jan 5, 2019

TheSnoozer added a commit to git-commit-id/maven-git-commit-id-plugin that referenced this issue Jan 5, 2019

holograph added a commit to holograph/zjsonpatch that referenced this issue Jan 14, 2019

vishwakarma added a commit to flipkart-incubator/zjsonpatch that referenced this issue Jan 14, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment