New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade Jackson to 2.9.4 in 1.2.* to address a CVE #2269

Merged
merged 1 commit into from Feb 10, 2018

Conversation

Projects
None yet
3 participants
@arteam
Member

arteam commented Feb 9, 2018

Problem:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17485

According to the CVE, maliciously crafted JSON input can allow a remote code execution, if it's passed directly to the readValue method of ÒbjectMapper. The blacklist of deserialized types is
ignored if the Spring libraries are available in the classpath.

Solution:

Upgrade Jackson to 2.9.4 with a fix to the CVE.

Result:

Dropwizard doesn't use Spring, but some end users use Spring along with Dropwizard, so we should give them a simple way to protect their applications.

Upgrade Jackson to 2.9.4 in 1.2.* to address a CVE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17485

According to the CVE, maliciously crafted JSON input can allow a
remote code execution, if it's passed directly to the `readValue`
method of `ÒbjectMapper`. The blacklist of deserialized types is
ignored if the Spring libraries are available in the classpath.

Dropwizard doesn't use Spring, but some end users use Spring along
with Dropwizard, so we should give them a simple way to protect
their applications.

@joschi joschi merged commit 0ce5043 into release/1.2.x Feb 10, 2018

5 checks passed

ci/circleci Your tests passed on CircleCI!
Details
continuous-integration/appveyor/branch AppVeyor build succeeded
Details
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details

@joschi joschi deleted the jackson-2.8.4 branch Feb 10, 2018

@jplock jplock added this to the 1.2.4 milestone Feb 10, 2018

@jplock jplock added the security label Feb 10, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment