Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 675682 (CVE-2017-15095, CVE-2017-17485) - dev-java/jackson-databind: multiple vulnerabilities
Summary: dev-java/jackson-databind: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-15095, CVE-2017-17485
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Deadline: 2019-05-12
Assignee: Gentoo Security
URL: https://github.com/FasterXML/jackson-...
Whiteboard: ~2 [upstream/ebuild]
Keywords: PMASKED
Depends on:
Blocks: CVE-2018-7489 CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, CVE-2018-14721 CVE-2018-19360, CVE-2018-19361, CVE-2018-19362 CVE-2018-12022, CVE-2018-12023
  Show dependency tree
 
Reported: 2019-01-17 10:36 UTC by D'juan McDonald (domhnall)
Modified: 2019-11-01 21:14 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2019-01-17 10:36:59 UTC
(https://nvd.nist.gov/vuln/detail/CVE-2017-17485):

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.


    Affected Versions:
Jackson-databind version <= 2.9.3

Jackson-databind version <= 2.7.9.1

Jackson-databind version <= 2.8.10


    Unaffected Versions:
Jackson-databind version 2.9.3.1

Jackson-databind version 2.7.9.2

Jackson-databind version 2.8.11


@maintainer(s): "Developers are advised to check whether the jackson-databind component is used in applications, and if so, to further check its version number and whether the enableDefaultTyping method is called in the code"


Gentoo-Security Padawan
(domhnall)
Comment 1 D'juan McDonald (domhnall) 2019-01-17 11:57:53 UTC
How to check:

1. get source file
2. jackson-databind is included in pom.xml
3. grep for "<artifactId>jackson-databind</artifactId>" and version is affected listed in Affection section.

4.check whether the `enableDefaultTyping` method is called in the code.

If yes for 2,3,4... package is affected.
Comment 2 Larry the Git Cow gentoo-dev 2019-04-13 03:22:42 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ad77bce60d04e76bd37cbfc87cf35cb58a0f8a92

commit ad77bce60d04e76bd37cbfc87cf35cb58a0f8a92
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2019-04-13 03:21:11 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2019-04-13 03:22:33 +0000

    profiles/package.mask: add dev-java/jackson-databind
    
    * Multiple security vulnerabilities
    * No revbump in several years
    
    Bug: https://bugs.gentoo.org/675682
    
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 profiles/package.mask | 12 ++++++++++++
 1 file changed, 12 insertions(+)
Comment 3 Patrice Clement gentoo-dev 2019-05-12 08:43:25 UTC
Package removed from the Portage tree.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6599dc1625a0840c6280b60cc6cacf388fc8d049