Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Block one more gadget type (logback, CVE-2019-12384) #2334

Closed
cowtowncoder opened this issue May 28, 2019 · 10 comments
Closed

Block one more gadget type (logback, CVE-2019-12384) #2334

cowtowncoder opened this issue May 28, 2019 · 10 comments
Labels
CVE Issues related to public CVEs (security vuln reports)
Milestone
2.9.9.1

Comments

@cowtowncoder
Copy link
Member

cowtowncoder commented May 28, 2019
edited
Loading

A new gadget type (see https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062) was reported, and CVE id allocated was CVE-2019-12384.
CVE description is available at: https://nvd.nist.gov/vuln/detail/CVE-2019-12384 for full details, but the specific variation (in addition to needing "default typing", attacker being able to craft specific json message) is that:

  • If service has jar logback-classic in its classpath

vulnerability applies.

Fixed in:

  • 2.9.10
  • 2.8.11.4
  • 2.7.9.6
  • 2.6.7.3
@cowtowncoder cowtowncoder added 2.9 CVE Issues related to public CVEs (security vuln reports) labels May 28, 2019
@hwwxj
Copy link

hwwxj commented Jun 11, 2019

Excuse me, may I ask when will this issue be solved?

@cowtowncoder
Copy link
Member Author

I hope to have to work on this (and perhaps the other CVE to file) later this week.

@cowtowncoder cowtowncoder added this to the 2.9.9.1 milestone Jun 13, 2019
@cowtowncoder
Copy link
Member Author

Fixed in 2.9 (for likely micro-patch 2.9.9.1), as well as backported in 2.8 and 2.7 (in case new versions might be released; or to make it easier for users to build from those branches).

@hwwxj
Copy link

hwwxj commented Jun 17, 2019

ok, thank you very much. By the way, when will the patch 2.9.9.1 be released? we need this urgently.

@cowtowncoder
Copy link
Member Author

I'll be going on vacation later today, back on July 1st, so at earliest in early July (but possibly mid-July, depending on if it'll be 2.9.10 or 2.9.9.1).

@cowtowncoder
Copy link
Member Author

Release 2.9.9.1 in-progress.

@mefarazath mefarazath mentioned this issue Jul 4, 2019
Merged
@jebeaudet
Copy link

@cowtowncoder Are you planning on releasing a 2.9.9.1 for the jackson-bom artifact containing this jackson-databind release? Thanks

@mibo mibo mentioned this issue Jul 5, 2019
Merged
scottfrederick pushed a commit to spring-cloud/spring-cloud-connectors that referenced this issue Jul 5, 2019
@mibo @scottfrederick
Updated jackson version to 2.9.9.1
1b9c675 
Updated jackson version to 2.9.9.1 for following CVE issues:
CVE-2019-12814: FasterXML/jackson-databind#2341
CVE-2019-12384: FasterXML/jackson-databind#2334
@cowtowncoder
Copy link
Member Author

@jebeaudet I am bit on fence on that -- if you would find it useful, please file an issue and I can create one?

@jebeaudet jebeaudet mentioned this issue Jul 7, 2019
Closed
@fazlan-nazeem fazlan-nazeem mentioned this issue Jul 8, 2019
Merged
@dimkua dimkua mentioned this issue Jul 29, 2019
Closed
based2 added a commit to based2/checker-maven-plugin that referenced this issue Aug 3, 2019
@based2
udpate jackson-databind to 2.9.9.1 CVE-2019-12814
e436077 
FasterXML/jackson-databind#2334
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
@hwwxj
Copy link

hwwxj commented Aug 5, 2019

Excuse me, may I ask when will jackson 2.9.10 be released?

@cowtowncoder
Copy link
Member Author

@hwwxj Not clear yet -- not enough bug fixes to warrant full release. But micro-patches 2.9.9.1 and 2.9.9.2 exist with the fix (plus there will be imminent 2.9.9.3 to address #2395 that was included in 2.9.9.2).

@chengbinghan chengbinghan mentioned this issue Aug 13, 2019
Closed
@cowtowncoder cowtowncoder changed the title Block one more gadget type (CVE-2019-12384) Block one more gadget type (logback, CVE-2019-12384) Sep 12, 2019
asereda-gs added a commit to immutables/immutables that referenced this issue Sep 20, 2019
@asereda-gs
Upgrade jackson databind 2.8.11.3 -> 2.8.11.4 because of security vul…
9ea18d6 
…nerabilities

FasterXML/jackson-databind#2326: Block class for CVE-2019-12086
FasterXML/jackson-databind#2334: Block class for CVE-2019-12384
FasterXML/jackson-databind#2341: Block class for CVE-2019-12814
FasterXML/jackson-databind#2387: Block class for CVE-2019-14379
FasterXML/jackson-databind#2389: Block class for CVE-2019-14439
ablekhman added a commit to atlassian/jackson-1 that referenced this issue Oct 23, 2019
@ablekhman
Block one more gadget type (logback, CVE-2019-12384)
fe45f21 
Merged from FasterXML/jackson-databind#2334
@silegon silegon mentioned this issue Jun 2, 2020
Open
Merged
4 tasks
@cowtowncoder cowtowncoder mentioned this issue Dec 26, 2020
Closed
This was referenced May 10, 2022
Open
Open
Closed
Closed
@cxronen cxronen mentioned this issue Sep 20, 2022
Open
@margaritalm margaritalm mentioned this issue Dec 25, 2022
Open
@cxronen cxronen mentioned this issue Apr 13, 2023
Open
@cxronen cxronen mentioned this issue May 25, 2023
Open
@charles-liming charles-liming mentioned this issue Aug 23, 2024
Closed
@stschott stschott mentioned this issue Sep 23, 2024
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
CVE Issues related to public CVEs (security vuln reports)
Projects
None yet
Milestone
2.9.9.1
Development

No branches or pull requests
3 participants
@cowtowncoder @jebeaudet @hwwxj