(https://nvd.nist.gov/vuln/detail/CVE-2017-17485): FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath. Affected Versions: Jackson-databind version <= 2.9.3 Jackson-databind version <= 2.7.9.1 Jackson-databind version <= 2.8.10 Unaffected Versions: Jackson-databind version 2.9.3.1 Jackson-databind version 2.7.9.2 Jackson-databind version 2.8.11 @maintainer(s): "Developers are advised to check whether the jackson-databind component is used in applications, and if so, to further check its version number and whether the enableDefaultTyping method is called in the code" Gentoo-Security Padawan (domhnall)
How to check: 1. get source file 2. jackson-databind is included in pom.xml 3. grep for "<artifactId>jackson-databind</artifactId>" and version is affected listed in Affection section. 4.check whether the `enableDefaultTyping` method is called in the code. If yes for 2,3,4... package is affected.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ad77bce60d04e76bd37cbfc87cf35cb58a0f8a92 commit ad77bce60d04e76bd37cbfc87cf35cb58a0f8a92 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2019-04-13 03:21:11 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2019-04-13 03:22:33 +0000 profiles/package.mask: add dev-java/jackson-databind * Multiple security vulnerabilities * No revbump in several years Bug: https://bugs.gentoo.org/675682 Signed-off-by: Aaron Bauman <bman@gentoo.org> profiles/package.mask | 12 ++++++++++++ 1 file changed, 12 insertions(+)
Package removed from the Portage tree. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6599dc1625a0840c6280b60cc6cacf388fc8d049
