Block two more gadget types (commons-configuration/-2)

[ybhou1993]

Another gadget (*) type report regarding a class of commons-configuration (and later commons-configuration2) package(s)

Mitre id: not yet allocated
Reporter: @ybhou1993

Fixed in:

• 2.9.10 and later
• 2.8.11.5
• 2.6.7.3
• does not affect 2.10.0 and later

---

(*) See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for more on general problem type

[melloware]

Since you mentioned commons config 1.9 you might also want to block commons-configuration2 which is a different class.

org.apache.commons.configuration2.JNDIConfiguration

[cowtowncoder]

I'd prefer a proof-of-concept showing how these could be used: I agree there is potential, but something to indicate actual mechanism (but if so, send email via fasterxml.com).

[ybhou1993]

I'd prefer a proof-of-concept showing how these could be used: I agree there is potential, but something to indicate actual mechanism (but if so, send email via fasterxml.com).

I agree what you said. Besides, I wonder to know if 2.9.10 version would be released in mid-October or later?

[ybhou1993]

I'd prefer a proof-of-concept showing how these could be used: I agree there is potential, but something to indicate actual mechanism (but if so, send email via fasterxml.com).

I have send a email to [email protected]. The article is written in Chinese, published in a china security community

[cowtowncoder]

I hope 2.9.10 can released early in October, in first part. I just want to wait for 2.10.0 to get out first.
Thank you for sending more details, that should be helpful.

[cowtowncoder]

Ok, so, commons-configuration (and -2) seem plausible via setProperty() (as per article) so I added blocks.
This issue shall remain for those ones.

I filed Xalan part under #2469

[cowtowncoder]

2.9.10 not released, contains blocks. 2.10.0 released, does contain block, but not considered vulnerable since "enableDefaultTyping()" deprecated, safe "activateDefaultTyping()" added.