Another two gadgets to exploit default typing issue in jackson-databind (CVE-2018-5968)

[OneSourceCat]

Another 2 gadget types reported against Hibernate, iBatis.

See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.

Mitre id: CVE-2018-5968

Fixed in:

• 2.9.4 and later
• 2.8.11.1
• 2.7.9.2
• 2.6.7.3

[cowtowncoder]

I am not sure I saw that email. Which address was it from (or what was the title)?

[OneSourceCat]

The title is [Critical] Jackson Deserialization RCE via a new Gadget.
There are two emails about two different gadget.

[cowtowncoder]

Ok somehow I do not see this via that email address (with that title or any other combination).
Would it be possible re-send it?

[codelion]

@OneSourceCat Should the latest published version of jackson-databind be considered vulnerable, until the issue is resolved?

[cowtowncoder]

@codelion before assuming anything, make sure to also read:

https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

to know under what special conditions vulnerabilities exist. For most Jackson users these are not applicable.

[OneSourceCat]

@cowtowncoder I've already resent the report. My email address is chongrui123[at]gmail.com.

[cowtowncoder]

@OneSourceCat Ah. Gmail decided to put them in SPAM for some weird reason. :-o

[cplvic]

will this fix be added to the 2.8 branch

[cowtowncoder]

Yes, it is in 2.8 branch. Fix will be in 2.8.11.1 if such is released at some point; no full releases are planned for 2.8 at this point.
Fix was included in 2.9.4 release.

[cplvic]

thanks!

[cowtowncoder]

Micro-patch 2.8.11.1 was just released, and this fix is in it, along with #1872 and #1931.

[arunnc]

OWASP dependency check is still reporting this as vulnerable after updating to 2.8.11.1

[codelion]

@arunnc that’s a problem with OWASP dependency check, you can report it to them.

[arunnc]

Hi Asankhaya Issue is NVD database is not updated with the micro patch 2.8.11.1 version and fix details. Would you know how to get this corrected? On 14-Feb-2018 9:46 PM, "Asankhaya Sharma" <[email protected]> wrote: @arunnc <https://github.com/arunnc> that’s a problem with OWASP dependency check, you can report it to them. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1899 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AVtJFfwjs3rlS40kjlDXsT4BmUc7OCveks5tUwbOgaJpZM4Rixed> .

[codelion]

@arunnc In general, we cannot rely on NVD for the accuracy of vulnerable and fix versions. Shameless plug but you can try using https://www.sourceclear.com/ instead.

[hinnerup]

@codelion At https://www.sourceclear.com/vulnerability-database/security/remote-code-execution-rce-/java/sid-5732/summary CVE-2018-5968 is referenced as fixed in 2.7.9.3.

However, I find it difficult to read that from the commit/code comments related to 2.7.9.3.

Could you elaborate on how you've come to the conclusion that 2.7.9.3 is safe (and includes a fix for CVE-2018-5968) ?

[ScrapCodes]

GHSA-w3f4-3q6j-rh82 seems to indicate the version 2.6.7.3 is affected, is it that the advisories data is out of date. What are the steps to update it?

[cowtowncoder]

@ScrapCodes I don't know how github advisories work, what data source they use. If anyone is interested, can point maintainers to https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.6.7.x which points that 2.6.7.3 contains the fix.