Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 675682 (CVE-2017-15095, CVE-2017-17485)

Summary: dev-java/jackson-databind: multiple vulnerabilities
Product: Gentoo Security Reporter: D'juan McDonald (domhnall) <flopwiki>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: java, treecleaner
Priority: Normal Keywords: PMASKED
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/FasterXML/jackson-databind/issues/1855
See Also: https://bugs.gentoo.org/show_bug.cgi?id=699106
Whiteboard: ~2 [upstream/ebuild]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 648952, 674670, 675156, 675650    
Deadline: 2019-05-12   

Description D'juan McDonald (domhnall) 2019-01-17 10:36:59 UTC 
(https://nvd.nist.gov/vuln/detail/CVE-2017-17485):

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.


    Affected Versions:
Jackson-databind version <= 2.9.3

Jackson-databind version <= 2.7.9.1

Jackson-databind version <= 2.8.10


    Unaffected Versions:
Jackson-databind version 2.9.3.1

Jackson-databind version 2.7.9.2

Jackson-databind version 2.8.11


@maintainer(s): "Developers are advised to check whether the jackson-databind component is used in applications, and if so, to further check its version number and whether the enableDefaultTyping method is called in the code"


Gentoo-Security Padawan
(domhnall)
Comment 1 D'juan McDonald (domhnall) 2019-01-17 11:57:53 UTC 
How to check:

1. get source file
2. jackson-databind is included in pom.xml
3. grep for "<artifactId>jackson-databind</artifactId>" and version is affected listed in Affection section.

4.check whether the `enableDefaultTyping` method is called in the code.

If yes for 2,3,4... package is affected.
Comment 2 Larry the Git Cow gentoo-dev 2019-04-13 03:22:42 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ad77bce60d04e76bd37cbfc87cf35cb58a0f8a92

commit ad77bce60d04e76bd37cbfc87cf35cb58a0f8a92
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2019-04-13 03:21:11 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2019-04-13 03:22:33 +0000

    profiles/package.mask: add dev-java/jackson-databind
    
    * Multiple security vulnerabilities
    * No revbump in several years
    
    Bug: https://bugs.gentoo.org/675682
    
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 profiles/package.mask | 12 ++++++++++++
 1 file changed, 12 insertions(+)
Comment 3 Patrice Clement gentoo-dev 2019-05-12 08:43:25 UTC 
Package removed from the Portage tree.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6599dc1625a0840c6280b60cc6cacf388fc8d049