Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Block two more gadget types (ibatis-sqlmap, anteros-core; CVE-2020-9547 / CVE-2020-9548) #2634

Closed
cowtowncoder opened this issue Mar 1, 2020 · 7 comments
Labels
Milestone

Comments

@cowtowncoder
Copy link
Member

@cowtowncoder cowtowncoder commented Mar 1, 2020

Another 2 gadget type reported regarding a classes of ibatis-sqlmap and Anteros-Core packages.
See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.

Mitre id: CVE-2020-9547, CVE-2020-9548
Reporters: threedr3am & V1ZkRA

Fix will be included in:

  • 2.9.10.4
  • 2.8.11.6 (jackson-bom version 2.8.11.20200310)
  • 2.7.9.7
  • Does not affect 2.10.0 and later
@cowtowncoder cowtowncoder added this to the 2.9.10.4 milestone Mar 1, 2020
cowtowncoder added a commit that referenced this issue Mar 1, 2020
@carnil

This comment has been minimized.

Copy link

@carnil carnil commented Mar 2, 2020

CVE-2020-9547 and CVE-2020-9548 has been assigned according to the MITRE CVE feed.

@cowtowncoder

This comment has been minimized.

Copy link
Member Author

@cowtowncoder cowtowncoder commented Mar 3, 2020

@carnil Thank you. For some reason I did not yet get email notification, but these seem legit ids from sequence so I'll use these and double-check when I get confirmation.

@cowtowncoder cowtowncoder changed the title Block two more gadget types (ibatis-sqlmap, anteros-core; CVE-to-be-allocated) Block two more gadget types (ibatis-sqlmap, anteros-core; CVE-2020-9547 / CVE-2020-9548) Mar 3, 2020
@Arashiailing

This comment was marked as off-topic.

Copy link

@Arashiailing Arashiailing commented Mar 3, 2020

Why am I mport com.fasterxml.jackson.databind.ObjectMapper the Idea tell me that cannot reselove it
I had written dependency in pox.xml


com.fasterxml.jackson.core
jackson-core
2.10.1


com.fasterxml.jackson.core
jackson-databind
2.9.10.3


com.fasterxml.jackson.core
jackson-annotations
2.10.1


what's wrong

@Arashiailing

This comment was marked as off-topic.

Copy link

@Arashiailing Arashiailing commented Mar 3, 2020

if I use lib from local instead of Maven,result would be different?

@cowtowncoder

This comment has been minimized.

Copy link
Member Author

@cowtowncoder cowtowncoder commented Mar 4, 2020

@Arashiailing please do not add unrelated comments on issues. For help, use mailing lists:

https://groups.google.com/forum/#!forum/jackson-user

or Gitter chat:

https://gitter.im/FasterXML/jackson-databind

qxo added a commit to qxo/jackson-databind that referenced this issue Mar 10, 2020
cowtowncoder added a commit that referenced this issue Mar 10, 2020
@pioto

This comment has been minimized.

Copy link

@pioto pioto commented Mar 27, 2020

Is there a scheduled release date for 2.9.10.4?

I'm impacted by this issue, but the milestone doesn't seem to have any release date set yet.

@cowtowncoder

This comment has been minimized.

Copy link
Member Author

@cowtowncoder cowtowncoder commented Mar 29, 2020

@pioto As OSS projects usually go, when it is ready. Unfortunately there has been steady stream of individual classes to block, and since I do not want to spend time releasing micro-patches every week I have tried to wait for couple of days to have a break. So far there are 12 issues resolved, and none open (although waiting for CVE ids for 2).
But I think I will release 2.9.10.4 by next weekend, regardless.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.