Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(Jackson 1.x) Fix is needed for CVE-2019-10172 in org.codehaus.jackson : jackson-mapper-asl #2547

Closed
arajwade opened this issue Nov 22, 2019 · 8 comments
Closed

(Jackson 1.x) Fix is needed for CVE-2019-10172 in org.codehaus.jackson : jackson-mapper-asl #2547

arajwade opened this issue Nov 22, 2019 · 8 comments

Comments

@arajwade
Copy link

Fix is needed for CVE-2019-10172 in org.codehaus.jackson : jackson-mapper-asl
Can you please fix this vulnerability?

Sonatype Nexus auditor is reporting the following vulnerability for CVE-2019-10172

Vulnerability
Issue
CVE-2019-10172
Severity
Sonatype CVSS 3: 7.3
CVE CVSS 2.0: 0.0
Weakness
Sonatype CWE: 611
Source
National Vulnerability Database
Categories
Data

Description from CVE
A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.
Explanation

The org.codehaus.jackson:jackson-mapper-asl package is vulnerable to XML External Entity (XXE) attacks. The DOMDeserializer.class file and its inner classes (DocumentDeserializer.class and NodeDeserializer.class) use the _parserFactory instance without restricting it from processing external XML entities when parsing user input. An attacker can exploit this vulnerability to cause XXE injection attacks.

NOTE: This vulnerability is related to the previously reported CVE-2016-3720.

Detection

The application is vulnerable by using this component.

Recommendation

There is no non vulnerable version of this component/package. We recommend investigating alternative components or a potential mitigating control.
An unofficial workaround is provided in a StackOverflow post which requires setting the FEATURE_SECURE_PROCESSING property of the _parserFactory instance to true within the source code.

Reference: https://stackoverflow.com/questions/38017676/small-fix-for-cve-2016-3720-with-older-versions-of-jackson-all-1-9-11-and-in-ja.

Root Cause
jackson-mapper-asl-1.9.12.jar <= org/codehaus/jackson/map/ext/DOMDeserializer.class : [1.9,)
Advisories
Third Party: https://access.redhat.com/security/cve/cve-2019-10172
Third Party: https://bugzilla.redhat.com/show_bug.cgi?id=1715075
Third Party: https://nvd.nist.gov/vuln/detail/CVE-2019-10172
@cowtowncoder
Copy link
Member

This repository is for Jackson 2.x; not Jackson 1.x.
Repo for Jackson 1.x sources is at:

https://github.com/FasterXML/jackson-1

but it is not actively developed; nor is there a working way to publish new versions as far as I know (1.x was built using Ant, published with Ant maven task).

So unless you are willing to work on it yourself, figure out publishing aspects, it is unlikely there would be new version with a fix.

@cowtowncoder cowtowncoder changed the title Fix is needed for CVE-2019-10172 in org.codehaus.jackson : jackson-mapper-asl (Jackson 1.x) Fix is needed for CVE-2019-10172 in org.codehaus.jackson : jackson-mapper-asl Nov 22, 2019
@arajwade
Copy link
Author

I think the same vulnerability exists in Version 2.x also.
Can you please check and if applicable fix this in Version 2.x?

@cowtowncoder
Copy link
Member

@arajwade It would help if you could outline why you feel it would affect 2.x. I have not seen specific issue reported against 2.x.

@reswaras
Copy link

What was the conclusion here ? Is there any version has fix or not affected ?

@cowtowncoder
Copy link
Member

@reswaras My assumption as of now is that if there is a remaining problem it will be reported: existence of CVE is not a starting point for investigation typically but side effect -- whoever files for CVE should work with authors to help resolve the problem. There are also duplicate CVEs that relate to already fixed problems so it is possible problem did exist but has been resolved.
If you are concerned you can investigate this issue further and re-open with specific information, or file a new issue on appropriate project (since being XML related problem it is more likely to related to jackson-dataformat-xml)

As to Jackson 1.x, if the problem exists it will not be fixed under this project. But same formula would be applicable wrt jackson-1 project: someone would need to outline actual issue and not just copy-paste CVE id here.

@arajwade
Copy link
Author

arajwade commented Dec 2, 2019

Can you please refer to the following stack overflow thread
https://stackoverflow.com/questions/38017676/small-fix-for-cve-2016-3720-with-older-versions-of-jackson-all-1-9-11-and-in-ja

It explains the fix applied in private build by anyone wanting to fix this on Jackson 1.x

Can you please check if the fix described is valid and whether an identical fix is needed in Jackson 2.x?

@cowtowncoder
Copy link
Member

@arajwade I am not your servant -- if you want to figure out, you are welcome to do your own tasks. Post is from 2016.

@perkss perkss mentioned this issue Feb 16, 2021
Merged
This was referenced May 17, 2021
Closed
Closed
Closed
@Sreemanth
Copy link

What was the conclusion here ? Is there any version has fix or not affected ?

https://stackoverflow.com/a/73540464/1539819

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@cowtowncoder @Sreemanth @arajwade @reswaras