Block one more gadget type (apache-log4j-extras/1.2, CVE-2019-17531) #2498
Comments
cowtowncoder
added
2.9
CVE
|
Fixed: off to file for CVE ID. Also need to consider timing of 2.9.10 now; we have two separate issues. |
cowtowncoder
changed the title
ablekhman
added a commit
to atlassian/jackson-1
that referenced
this issue
Oct 23, 2019
julianladisch
added a commit
to folio-org/raml-module-builder
that referenced
this issue
Nov 5, 2019
…ties. Three serialization gadget (= polymorphic typing) security vulnerability issues have been reported against jackson-databind versions before 2.9.10.1: jackson-databind 2.9.10.1 (released 2019-10-20) fixes * commons-dbcp, p6spy ([CVE-2019-16942|https://nvd.nist.gov/vuln/detail/CVE-2019-16942] / [CVE-2019-16943|https://nvd.nist.gov/vuln/detail/CVE-2019-16943] = [jackson-databind #2478|FasterXML/jackson-databind#2478]) * log4j-extras/1.2 ([CVE-2019-17531|https://nvd.nist.gov/vuln/detail/CVE-2019-17531] = [jackson-databind #2498|FasterXML/jackson-databind#2498]) jackson-databind [2.9.10.2|https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9#micro-patches] (not yet released) fixes * ehcache/JNDI (CVEs to be allocated = [jackson-databind #2526|FasterXML/jackson-databind#2526]) See also * [On Jackson CVEs: Don't Panic — Here is what you need to know|https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062] * [Jackson 2.10 features (esp "Safe Default Typing" to vanquish stream of CVE patches!)|https://medium.com/@cowtowncoder/jackson-2-10-features-cd880674d8a2]
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Another gadget type reported regarding a class of apache-log4j-extras package.
See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.
Mitre id: CVE-2019-17531
Reporter: 张先辉 Zhangxianhui
Fix will be included in:
The text was updated successfully, but these errors were encountered: