Another two gadgets to exploit default typing issue in jackson-databind (CVE-2018-5968)
OneSourceCat opened this issue · 20 comments
Another 2 gadget types reported against Hibernate, iBatis.
See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.
Mitre id: CVE-2018-5968
Fixed in:
- 2.9.4 and later
- 2.8.11.1
- 2.7.9.2
- 2.6.7.3
I am not sure I saw that email. Which address was it from (or what was the title)?
The title is [Critical] Jackson Deserialization RCE via a new Gadget.
There are two emails about two different gadget.
Ok somehow I do not see this via that email address (with that title or any other combination).
Would it be possible re-send it?
@OneSourceCat Should the latest published version of jackson-databind be considered vulnerable, until the issue is resolved?
@codelion before assuming anything, make sure to also read:
to know under what special conditions vulnerabilities exist. For most Jackson users these are not applicable.
@cowtowncoder I've already resent the report. My email address is chongrui123[at]gmail.com.
@OneSourceCat Ah. Gmail decided to put them in SPAM for some weird reason. :-o
will this fix be added to the 2.8 branch
Yes, it is in 2.8 branch. Fix will be in 2.8.11.1 if such is released at some point; no full releases are planned for 2.8 at this point.
Fix was included in 2.9.4 release.
thanks!
OWASP dependency check is still reporting this as vulnerable after updating to 2.8.11.1
@arunnc In general, we cannot rely on NVD for the accuracy of vulnerable and fix versions. Shameless plug but you can try using https://www.sourceclear.com/ instead.
@codelion At https://www.sourceclear.com/vulnerability-database/security/remote-code-execution-rce-/java/sid-5732/summary CVE-2018-5968 is referenced as fixed in 2.7.9.3.
However, I find it difficult to read that from the commit/code comments related to 2.7.9.3.
Could you elaborate on how you've come to the conclusion that 2.7.9.3 is safe (and includes a fix for CVE-2018-5968) ?
@newbishme can you help answer @hinnerup ’s question and verify the fix info for the artifact.
@hinnerup Apologies for the slight confusion there. Below is the snippet from the CVE description of CVE-2018-5968:
This is exploitable via two different gadgets that bypass a blacklist.
Based on the information available at the time of identifying this issue, 2.7.9.3 was yet to be published.
When the comment above on #1931 was made, the content of https://www.sourceclear.com/vulnerability-database/security/remote-code-execution-rce-/java/sid-5732/summary was updated to include 2.7.9.3.
A separate CVE was only recently assigned to #1931, and is currently awaiting analysis as of now. This has been cataloged as another vulnerability since the assignment of the CVE. Following that, the details of https://www.sourceclear.com/vulnerability-database/security/remote-code-execution-rce-/java/sid-5732/summary should have been updated to remove 2.7.9.3.
GHSA-w3f4-3q6j-rh82 seems to indicate the version 2.6.7.3 is affected, is it that the advisories data is out of date. What are the steps to update it?
@ScrapCodes I don't know how github advisories work, what data source they use. If anyone is interested, can point maintainers to https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.6.7.x which points that 2.6.7.3 contains the fix.