New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade Jackson to 2.8.11 in 1.1.* to address a CVE #2270

Merged
merged 1 commit into from Feb 10, 2018

Conversation

Projects
None yet
3 participants
@arteam
Member

arteam commented Feb 9, 2018

Problem:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17485

According to the CVE, maliciously crafted JSON input can allow a remote code execution, if it's passed directly to the readValue method of ÒbjectMapper. The blacklist of deserialized types is
ignored if the Spring libraries are available in the classpath.

Solution:

Upgrade Jackson to 2.8.11

Result:

Dropwizard doesn't use Spring, but some end users use Spring along with Dropwizard, so we should give them a simple way to protect their applications.

@arteam arteam force-pushed the release/1.1.x branch 2 times, most recently from a3c5ab0 to 62c9db5 Feb 10, 2018

@jplock jplock added the security label Feb 10, 2018

@jplock

jplock approved these changes Feb 10, 2018

@arteam arteam force-pushed the upgrade-jackson-2.8.11 branch from 9e19ada to 8c0cc70 Feb 10, 2018

Upgrade Jackson to 2.8.11 in 1.1.* to address a CVE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17485

According to the CVE, maliciously crafted JSON input can allow a
remote code execution, if it's passed directly to the `readValue`
method of `ÒbjectMapper`. The blacklist of deserialized types is
ignored if the Spring libraries are available in the classpath.

Dropwizard doesn't use Spring, but some end users use Spring along
with Dropwizard, so we should give them a simple way to protect
their applications.

@arteam arteam force-pushed the upgrade-jackson-2.8.11 branch from 8c0cc70 to 075125f Feb 10, 2018

@joschi joschi merged commit 24e4f96 into release/1.1.x Feb 10, 2018

5 checks passed

ci/circleci Your tests passed on CircleCI!
Details
continuous-integration/appveyor/branch AppVeyor build succeeded
Details
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details

@joschi joschi deleted the upgrade-jackson-2.8.11 branch Feb 10, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment