Headline
CVE-2019-12814: Block yet another gadget type (jdom, CVE-2019-12814) · Issue #2341 · FasterXML/jackson-databind
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Labels
CVE
Issues related to public CVEs (security vuln reports)
Comments
cowtowncoder changed the title Block yet another gadget type (CVE to be requested) Block yet another gadget type (CVE-2019-12814)
Jun 14, 2019
Fixed in 2.7, 2.8, 2.9, 2.10 and master branches for likely release in 2.9.9.1 and 2.10.0.
When can we expect a 2.9.9.1 release?
hilmarf, daniel-schel, victor7437, zageyiff, lbourdages, dannil, lbalmaceda, j-tim, jactor-rises, emmberk, and 37 more reacted with thumbs up emoji
This was referenced
Jun 22, 2019
I appreciate the hard work being done by the jackson-databind developers, but 3 days later, I have to repeat @antalindisguise’s question again: Why isn’t 2.9.9.1 released yet? Those of us who use the OWASP Dependency Check plugin in our projects now have failing builds because of CVE-2019-12814, without a proper remedy. I really don’t like adding a suppression for a legitimate security issue. 😕
@volkert-fastned if it helps, you’ve had a legitimate security issue for ages already, you just didn’t know about it until today. Plus, if you don’t have JDOM then it would be a legitimate suppression,
@OrangeDog Thanks. I read it in the CVE description as well.
So when the following commands return no results, the project should be unaffected, correct?
# Maven project
mvn dependency:tree | grep -i jdom
# Gradle project
./gradlew dependencies | grep -i jdom
@OrangeDog Thanks. I read it in the CVE description as well.
So when the following commands return no results, the project should be unaffected, correct?
# Maven project mvn dependency:tree | grep -i jdom # Gradle project ./gradlew dependencies | grep -i jdom
Well you would also have to “enableDefaultTyping” (either globally or for a specific property :)
For me, the problem is that our pipeline checks for dependencies with known issues and abort the process if a problem is found. You can argue that the problem is in the previous versions, but if the problem is solved why not just release?
@mpbalmeida in general you cannot expect every dependency to release a fix as soon as a vulnerability is known. If your pipeline relies on that, then you need to make changes.
@volkert-fastned
So when the following commands return no results, the project should be unaffected
What’s on the classpath when your code runs is not simply the list of project dependencies. You need to audit your systems and be aware of what’s happening.
We can manually trigger to rebuild, but I thought the problem was already solved because there were no open issues in 2.9.9.1 milestone
I don’t know the details of how this issue was discovered or originally disclosed (insert grain of salt)
But IMHO, It would be nice to release the fix before disclosing the vuln.
@volkert-fastned
So when the following commands return no results, the project should be unaffected
What’s on the classpath when your code runs is not simply the list of project dependencies. You need to audit your systems and be aware of what’s happening.
In the specific case of CVE-2019-12814, one of the prerequisites for being vulnerable (kind of a weird way to put it, but you know what I mean) is "the service has JDOM 1.x or 2.x jar in the classpath". Source: https://nvd.nist.gov/vuln/detail/CVE-2019-12814
By the way, it’s kind of odd how an XML dependency such as JDOM would trigger a JSON-related vulnerability.
@volkert-fastned if it helps, you’ve had a legitimate security issue for ages already, you just didn’t know about it until today. Plus, if you don’t have JDOM then it would be a legitimate suppression,
It is worth noting that JDOM2 comes as a dependency within the latest version of Spring-Boot-Starter-Parent 2.1.6
https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-parent/2.1.6.RELEASE
(edited to reflect a mistake i made by saying spring-boot when I meant spring-boot-starter-parent)
Thanks @benjamin Asbach for making me recheck and finding my mistake
If you run the cmd:
mvn help:effective-pom -Doutput=effective.xml
and then search for JDOM you can see it’s there at version <jdom2.version>2.0.6</jdom2.version>
Really hoping version 2.9.9.1 is released soon, this is causing me head aches.
It is worth noting that JDOM2 comes as a dependency within the latest version of SpringBoot 2.1.6
If you run the cmd:
mvn help:effective-pom -Doutput=effective.xml
and then search for JDOM you can see it’s there at version <jdom2.version>2.0.6</jdom2.version>Really hoping version 2.9.9.1 is released soon, this is causing me head aches.
Really??? I thought mvn dependency:tree also showed all transitive dependencies. Yet another thing you can’t rely on. 😕
Thanks for sharing this method, @andr3w-hilton.
And again, not to be ungrateful to the developers, but what’s holding up the 2.9.9.1 release right now? Is it undergoing a final rigorous code audit and/or pentest? Because in that case, I completely understand and support the current holdup.
@volkert-fastned @cowtowncoder has simply taken a break lol - nothing more nothing less.
Perhaps assist by having a PR ready for when he gets back?
Well, to be fair, everybody deserves a good vacation every now and then. 🙂
But I don’t think any PRs are necessary anymore. The actual issues have already been resolved. It’s just that we’re still waiting for the 2.9.9.1 release that contains these fixes: https://github.com/FasterXML/jackson-databind/milestone/97
By the way, It’s somewhat worrisome how such a crucial library like jackson-databind apparently has so few developers maintaining it, that the vacation of one person would block a release with an important security fix. One obviously can’t blame any individual developers or maintainers for that. This is a problem that needs to be solved at an organizational level.
xD
Not really, usually all deploys are held monitored and approved by a single person?
There’s a few maintainers hey, I know Tatu is getting ready for 2.10 and doing the min jdk8 impl, i’m doing the jpms impl, I know a few others are doing a few bits as well.
Also what organization do you believe is running this project? :)
Naw, the way it is now is correct, the single point for final approve and deployment definitely is correct. and yea I think he is allowed a break for as long as needed. Rather wait patiently and get a refreshed mind doing it. There also seems to be people complaining about dropping jdk 6 support (but 2.10 drops jdk 7 support), so I believe there’s that consideration for 2.9.10 as well for some security fixes (although the jdk has more holes than any library), so there’s a lot going on
all deploys are held monitored and approved by a single person?
If (hopefully not) the one person who can do that gets hit by a car while on holiday, does that mean that there will never be another release of Jackson? There needs to be multiple people who can do it, both to deal with that situation, and with this one.
I thought mvn dependency:tree also showed all transitive dependencies.
It does. @andr3w-hilton is mistaken and looking at the <dependencyManagement> section, not the <dependencies>.
This was referenced
Feb 4, 2022
This was referenced
Mar 11, 2022
This was referenced
Mar 12, 2022
This was referenced
Mar 31, 2022
This was referenced
May 10, 2022
This was referenced
Apr 28, 2023
This was referenced
Aug 29, 2023
This was referenced
Sep 7, 2023
Labels
CVE
Issues related to public CVEs (security vuln reports)
Related news
Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a crafted URL, then arbitrary JavaScript code can be executed within the session context of the authenticated user. Upgrading to Apache NiFi 1.24.0 or 2.0.0-M1 is the recommended mitigation.
Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and authorized user can bypass connection URL validation using custom input formatting. The resolution enhances connection URL validation and introduces validation for additional related properties. Upgrading to Apache NiFi 1.23.1 is the recommended mitigation.
The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. The resolution validates the Database URL and rejects H2 JDBC locations. You are recommended to upgrade to version 1.22.0 or later which fixes this issue.
Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.
The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is not included in the default configuration. Command injection requires ShellUserGroupProvider to be one of the enabled User Group Providers in the Authorizers configuration. Command injection also requires an authenticated user with elevated privileges. Apache NiFi requires an authenticated user with authorization to modify access policies in order to execute the command. Apache NiFi Registry requires an authenticated user with authorization to read user groups in order to execute the command. The resolution removes command formatting based on user-provided arguments.
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). The supported version that is affected is 10.3.6.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N).
Vulnerability in the Java SE product of Oracle Java SE (component: Javadoc). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE accessible data as well as unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Ja...
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.