New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

False positives for CVE-2016-3720 for several jackson libraries #517

Closed
albuch opened this Issue Jun 16, 2016 · 16 comments

Comments

Projects
None yet
8 participants
@albuch
Contributor

albuch commented Jun 16, 2016

CVE-2016-3270 is falsely reported for the following libraries and probably all other com.fasterxml.jackson libraries for all versions (e.g. [version] = 2.5.0, 2.5.4, 2.6.5)

  • jackson-annotations-[version].jar
  • jackson-core-[version].jar
  • jackson-databind-[version].jar
  • jackson-datatype-jdk8-[version].jar
  • jackson-datatype-jsr310-[version].jar

Am I right that we can't use the CPE as an suppression rule here as that would exclude the vulnerable library jackson-dataformat-xml as well?

@awhitford

This comment has been minimized.

Show comment
Hide comment
@awhitford

awhitford Jun 16, 2016

Contributor

Is the CVE limited to just jackson-dataformat-xml? Because that is what I thought at first, but then the CVE mentions cpe:/a:fasterxml:jackson:- which seems pretty broad.

Note that the issue seems limited to XML, yet I only use Jackson for JSON.

Contributor

awhitford commented Jun 16, 2016

Is the CVE limited to just jackson-dataformat-xml? Because that is what I thought at first, but then the CVE mentions cpe:/a:fasterxml:jackson:- which seems pretty broad.

Note that the issue seems limited to XML, yet I only use Jackson for JSON.

@albuch

This comment has been minimized.

Show comment
Hide comment
@albuch

albuch Jun 17, 2016

Contributor

As far as I understand the original Fedora bug report only the extension jackson-dataformat-xml is affected which must be be put explicitly on the classpath.

Contributor

albuch commented Jun 17, 2016

As far as I understand the original Fedora bug report only the extension jackson-dataformat-xml is affected which must be be put explicitly on the classpath.

@awhitford

This comment has been minimized.

Show comment
Hide comment
@awhitford

awhitford Jun 17, 2016

Contributor

In that case, isn't the CVE metadata incorrect? As long as it says cpe:/a:fasterxml:jackson:-, then it is going to get hits on the artifacts that you mentioned. I don't see why the metadata can not be more specific to the dataformat-xml artifact. (Whom do you complain to about CVE metadata?)

Contributor

awhitford commented Jun 17, 2016

In that case, isn't the CVE metadata incorrect? As long as it says cpe:/a:fasterxml:jackson:-, then it is going to get hits on the artifacts that you mentioned. I don't see why the metadata can not be more specific to the dataformat-xml artifact. (Whom do you complain to about CVE metadata?)

@albuch

This comment has been minimized.

Show comment
Hide comment
@albuch

albuch Jun 17, 2016

Contributor

That is correct Anthony. Though I'm not sure where to file a fix for CVE metadata, and if it would be fixed at all. I guess RedHat could be the contact here as the responsible CVE Numbering Authority.

Contributor

albuch commented Jun 17, 2016

That is correct Anthony. Though I'm not sure where to file a fix for CVE metadata, and if it would be fixed at all. I guess RedHat could be the contact here as the responsible CVE Numbering Authority.

@albuch

This comment has been minimized.

Show comment
Hide comment
@albuch

albuch Jun 22, 2016

Contributor

FYI, I've sent an email to RedHat security team. We'll see if I'm mistaken or if they can fix it.

Contributor

albuch commented Jun 22, 2016

FYI, I've sent an email to RedHat security team. We'll see if I'm mistaken or if they can fix it.

@awhitford

This comment has been minimized.

Show comment
Hide comment
@awhitford

awhitford Jun 22, 2016

Contributor

I raised a ticket for jackson-dataformat-xml and they responded saying that it has already been fixed for Jackson 2.7.4.

I also sent an email to cve@mitre.org (after reading the FAQ) and they forwarded the issue to nvd@nist.gov.

Contributor

awhitford commented Jun 22, 2016

I raised a ticket for jackson-dataformat-xml and they responded saying that it has already been fixed for Jackson 2.7.4.

I also sent an email to cve@mitre.org (after reading the FAQ) and they forwarded the issue to nvd@nist.gov.

@jeremylong

This comment has been minimized.

Show comment
Hide comment
@jeremylong

jeremylong Jul 19, 2016

Owner

After thinking about this some more I believe we could use the following suppression rules to suppress the false positive for all except the Jackson-dataformat-xml:

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
   <suppress>
      <notes><![CDATA[
      file name: jackson-core-2.6.5.jar
      ]]></notes>
      <gav regex="true">com\.fasterxml\.jackson\.core:jackson.*</gav>
      <cve>CVE-2016-3720</cve>
   </suppress>
   <suppress>
      <notes><![CDATA[
      file name: jackson-core-2.6.5.jar
      ]]></notes>
      <gav regex="true">com\.fasterxml\.jackson\.dataformat:jackson(?!\-dataformat\-xml).*</gav>
      <cve>CVE-2016-3720</cve>
   </suppress>
</suppressions>
Owner

jeremylong commented Jul 19, 2016

After thinking about this some more I believe we could use the following suppression rules to suppress the false positive for all except the Jackson-dataformat-xml:

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
   <suppress>
      <notes><![CDATA[
      file name: jackson-core-2.6.5.jar
      ]]></notes>
      <gav regex="true">com\.fasterxml\.jackson\.core:jackson.*</gav>
      <cve>CVE-2016-3720</cve>
   </suppress>
   <suppress>
      <notes><![CDATA[
      file name: jackson-core-2.6.5.jar
      ]]></notes>
      <gav regex="true">com\.fasterxml\.jackson\.dataformat:jackson(?!\-dataformat\-xml).*</gav>
      <cve>CVE-2016-3720</cve>
   </suppress>
</suppressions>
@susenj

This comment has been minimized.

Show comment
Hide comment
@susenj

susenj Aug 16, 2016

@awhitford , did you get any update over you e-mail? I am safely assuming that the vulnerability exists even with Jackson 2.7.4.

Does anyone know the tentative timeline of the next Jackson version?

susenj commented Aug 16, 2016

@awhitford , did you get any update over you e-mail? I am safely assuming that the vulnerability exists even with Jackson 2.7.4.

Does anyone know the tentative timeline of the next Jackson version?

jeremylong added a commit that referenced this issue Dec 22, 2016

jeremylong added a commit that referenced this issue Dec 22, 2016

@jeremylong

This comment has been minimized.

Show comment
Hide comment
@jeremylong

jeremylong Dec 22, 2016

Owner

The fix for this FP has been implemented in 1.4.5-SNAPSHOT and will be included in the next release.

Owner

jeremylong commented Dec 22, 2016

The fix for this FP has been implemented in 1.4.5-SNAPSHOT and will be included in the next release.

@jeremylong jeremylong closed this Dec 22, 2016

@samisalonen

This comment has been minimized.

Show comment
Hide comment
@samisalonen

samisalonen Feb 6, 2017

Jackson artifacts had different Maven coordinates earlier. I added the following suppression to handle those old artifacts with Dependency-Check 1.4.5.

   <suppress>
      <notes><![CDATA[
      https://github.com/jeremylong/DependencyCheck/issues/517
      ]]></notes>
      <gav regex="true">org\.codehaus\.jackson:jackson-.*</gav>
      <cve>CVE-2016-3720</cve>
   </suppress>

I am not aware which old artifact(s) corresponds to vulnerable com.fasterxml.jackson.dataformat:jackson-dataformat-xml (if any), so this potentially suppresses too much.

samisalonen commented Feb 6, 2017

Jackson artifacts had different Maven coordinates earlier. I added the following suppression to handle those old artifacts with Dependency-Check 1.4.5.

   <suppress>
      <notes><![CDATA[
      https://github.com/jeremylong/DependencyCheck/issues/517
      ]]></notes>
      <gav regex="true">org\.codehaus\.jackson:jackson-.*</gav>
      <cve>CVE-2016-3720</cve>
   </suppress>

I am not aware which old artifact(s) corresponds to vulnerable com.fasterxml.jackson.dataformat:jackson-dataformat-xml (if any), so this potentially suppresses too much.

@jeremylong

This comment has been minimized.

Show comment
Hide comment
@jeremylong

jeremylong Feb 8, 2017

Owner

Thanks - I did a little research and updated the regex to include the alternative group.

Owner

jeremylong commented Feb 8, 2017

Thanks - I did a little research and updated the regex to include the alternative group.

@albuch

This comment has been minimized.

Show comment
Hide comment
@albuch

albuch Mar 15, 2017

Contributor

Hi @jeremylong,
another package that is falsely reported is

ehcache-2.10.3.jar/rest-management-private-classpath/META-INF/maven/com.fasterxml.jackson.jaxrs/jackson-jaxrs-base/pom.xml (com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:2.3.3, cpe:/a:fasterxml:jackson:2.3.3) : CVE-2016-3720

I've locally updated the rule to exclude all sub-groups except dataformat:

    <suppress base="true">
        <notes><![CDATA[
            This CVE only affects jackson-dataformat-xml. See issue #517.
      ]]></notes>
        <gav regex="true">(org\.codehaus\.jackson|com\.fasterxml\.jackson\.(?!dataformat)[^:]+):jackson.*</gav>
        <cve>CVE-2016-3720</cve>
    </suppress>
Contributor

albuch commented Mar 15, 2017

Hi @jeremylong,
another package that is falsely reported is

ehcache-2.10.3.jar/rest-management-private-classpath/META-INF/maven/com.fasterxml.jackson.jaxrs/jackson-jaxrs-base/pom.xml (com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:2.3.3, cpe:/a:fasterxml:jackson:2.3.3) : CVE-2016-3720

I've locally updated the rule to exclude all sub-groups except dataformat:

    <suppress base="true">
        <notes><![CDATA[
            This CVE only affects jackson-dataformat-xml. See issue #517.
      ]]></notes>
        <gav regex="true">(org\.codehaus\.jackson|com\.fasterxml\.jackson\.(?!dataformat)[^:]+):jackson.*</gav>
        <cve>CVE-2016-3720</cve>
    </suppress>
@cowtowncoder

This comment has been minimized.

Show comment
Hide comment
@cowtowncoder

cowtowncoder May 20, 2017

Apologies for commenting on a closed ticket, but since I had to send an update request for another related Jackson XML CVE I thought update might make sense.

Jackson side issue for CVE-3720 is: FasterXML/jackson-dataformat-xml#190 and it was indeed fixed in 2.7.4 and only affects jackson-dataformat-xml.

There is a newer but similar CVE, 7051: http://www.cvedetails.com/cve/CVE-2016-7051/ which:

It also looks like description at mitre.org is too general as well, leading to false alarms:

FasterXML/jackson-core#371

Similar to issue here.

I suspect it might make sense to file a new issue, but thought maybe starting here would make most sense.

cowtowncoder commented May 20, 2017

Apologies for commenting on a closed ticket, but since I had to send an update request for another related Jackson XML CVE I thought update might make sense.

Jackson side issue for CVE-3720 is: FasterXML/jackson-dataformat-xml#190 and it was indeed fixed in 2.7.4 and only affects jackson-dataformat-xml.

There is a newer but similar CVE, 7051: http://www.cvedetails.com/cve/CVE-2016-7051/ which:

It also looks like description at mitre.org is too general as well, leading to false alarms:

FasterXML/jackson-core#371

Similar to issue here.

I suspect it might make sense to file a new issue, but thought maybe starting here would make most sense.

@nhenneaux

This comment has been minimized.

Show comment
Hide comment
@nhenneaux

nhenneaux Jul 10, 2017

It still fails with v2.0.1. Should I create a new ticket?

jackson-jaxrs-base-2.8.9.jar (com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:2.8.9, cpe:/a:fasterxml:jackson:2.8.9) : CVE-2016-7051
jackson-datatype-joda-2.8.9.jar (com.fasterxml.jackson.datatype:jackson-datatype-joda:2.8.9, cpe:/a:fasterxml:jackson:2.8.9) : CVE-2016-7051

nhenneaux commented Jul 10, 2017

It still fails with v2.0.1. Should I create a new ticket?

jackson-jaxrs-base-2.8.9.jar (com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:2.8.9, cpe:/a:fasterxml:jackson:2.8.9) : CVE-2016-7051
jackson-datatype-joda-2.8.9.jar (com.fasterxml.jackson.datatype:jackson-datatype-joda:2.8.9, cpe:/a:fasterxml:jackson:2.8.9) : CVE-2016-7051

@Stephan202

This comment has been minimized.

Show comment
Hide comment
@Stephan202

Stephan202 commented Jul 10, 2017

@nhenneaux see #792.

@lock

This comment has been minimized.

Show comment
Hide comment
@lock

lock bot Sep 28, 2018

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

lock bot commented Sep 28, 2018

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked and limited conversation to collaborators Sep 28, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.