Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 648952 (CVE-2018-7489)

Summary: dev-java/jackson-databind: Incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries
Product: Gentoo Security Reporter: Dimitris Nakos (sokan) <sokan>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: java
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/FasterXML/jackson-databind/issues/1931
Whiteboard: ~2 [ebuild cve]
Package list:
Runtime testing required: ---
Bug Depends on: 674670, 675682    
Bug Blocks:    

Description Dimitris Nakos (sokan) 2018-02-27 14:55:34 UTC 
FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath. 

Fix/Commit: https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2

Fixed in 2.8.11.1 (newly released) and 2.9.5 (when it is released).

- Gentoo Security Padawan -
Comment 1 D'juan McDonald (domhnall) 2018-09-08 02:18:18 UTC 
2.9.5 released 3/26/2018 with fix see:
https://github.com/FasterXML/jackson-databind/blob/jackson-databind-2.9.5/release-notes/VERSION-2.x

@Demetris, fyi 2.8.11 branch is milestone/testing.
Comment 2 Patrice Clement (RETIRED) gentoo-dev 2019-05-12 08:42:57 UTC 
Package removed from the Portage tree.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6599dc1625a0840c6280b60cc6cacf388fc8d049