Block one more gadget type (org.arrahtec:profiler-core, CVE-xxxx-xxx) #2827

cowtowncoder · 2020-08-22T20:38:57Z

Another gadget type(s) reported regarding class(es) of org.arrahtec:profiler-core library.
See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.

Mitre id: [to be allocated]
Reporter(s): ChenZhaojun (Security Team of Alibaba Cloud)

Fix is included in:

2.9.10.6 (usable via jackson-bom version 2.9.10.20200824)
Not considered valid CVE for Jackson 2.10.0 and later (see https://medium.com/@cowtowncoder/jackson-2-10-safe-default-typing-2d018f0ce2ba)

The text was updated successfully, but these errors were encountered:

bad-boy1 · 2020-08-28T01:41:04Z

will this issue be fixed in the new version，like 2.10.6 and 2.11.3，though it is mentioned that CVE not include 2.10.0 and later. In order to prevent some users not complying the new security mechanism and still using enableDefaultTyping，as also some users use activateDefaultTyping set org.arrah.framework.rdbms.UpdatableJdbcRowsetImpl as a trusted class

cowtowncoder · 2020-08-28T03:27:49Z

@bad-boy1 Blocks are added in later versions too (SubTypeValidator is still applied).

But problem itself is not considered applicable, not only because user explicitly has to enable a feature but because methods to do so are marked as deprecated with noted safe alternatives.
Actually these issues should probably never have been accepted as legit CVEs since they require changing of default configuration -- something that I think would rule them out.

As to users enabling unsafe behavior: that is on them. One could always write a custom handler to open up security holes.

…L#2659 FasterXML#2660 FasterXML#2662 FasterXML#2664 FasterXML#2666 FasterXML#2670 FasterXML#2680 FasterXML#2682 FasterXML#2688 FasterXML#2698 FasterXML#2704 FasterXML#2765 FasterXML#2798 FasterXML#2814 FasterXML#2826 FasterXML#2827 FasterXML#2854 1. generated diff CVE diff git diff ad5a630 -- src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java 2. cleanup the diff ,just remain the CVE change 3. apply the diff 4. check and make sure only commit the AutoType CVE change. ``` PR_LIST=$(git log1 -n 17 ad5a630 -- src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java | awk -F'[ ,]+' '{for(i=1;i<=NF;i++){a=$(i);if(match(a,/#[0-9]+/)){print a;}}}' | sort | uniq);echo "$PR_LIST" | wc -l echo $PR_LIST ```

#2670 #2680 #2682 #2688 #2698 #2704 #2765 #2798 #2814 #2826 #2827 #2854 (#2858) 1. generated diff CVE diff git diff ad5a630 -- src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java 2. cleanup the diff ,just remain the CVE change 3. apply the diff 4. check and make sure only commit the AutoType CVE change. ``` PR_LIST=$(git log1 -n 17 ad5a630 -- src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java | awk -F'[ ,]+' '{for(i=1;i<=NF;i++){a=$(i);if(match(a,/#[0-9]+/)){print a;}}}' | sort | uniq);echo "$PR_LIST" | wc -l echo $PR_LIST ```

https://nvd.nist.gov/vuln/detail/CVE-2020-24750 https://nvd.nist.gov/vuln/detail/CVE-2020-24616 Release notes: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9#micro-patches > jackson-databind 2.9.10.6 (24-Aug-2020) -- with jackson-bom version 2.9.10.20200824 > > * FasterXML/jackson-databind#2798: Block one more gadget type (com.pastdev.httpcomponents, CVE-2020-24750 > * FasterXML/jackson-databind#2814: Block one more gadget type (Anteros-DBCP, CVE-2020-24616) > * FasterXML/jackson-databind#2826: Block one more gadget type (com.nqadmin.rowset) > * FasterXML/jackson-databind#2827: Block one more gadget type (org.arrahtec:profiler-core)

Merged from FasterXML/jackson-databind#2826 FasterXML/jackson-databind#2827

…type Block one more gadget type (com.nqadmin.rowset, CVE-xxxx-xxx), Block one more gadget type Block one more gadget type (org.arrahtec:profiler-core, CVE-xxxx-xxx) Merged from FasterXML/jackson-databind#2826 FasterXML/jackson-databind#2827

cowtowncoder added to-evaluate Issue that has been received but not yet evaluated and removed to-evaluate Issue that has been received but not yet evaluated labels Aug 22, 2020

cowtowncoder added a commit that referenced this issue Aug 22, 2020

Fixed #2826, #2827

e701bd8

cowtowncoder added this to the 2.9.10.6 milestone Aug 22, 2020

cowtowncoder closed this as completed Aug 22, 2020

cowtowncoder changed the title ~~Block one more gadget type (xxx, CVE-xxxx-xxx)~~ Block one more gadget type (org.arrahtec:profiler-core, CVE-xxxx-xxx) Aug 24, 2020

cowtowncoder added the CVE Issues related to public CVEs (security vuln reports) label Aug 24, 2020

qxo mentioned this issue Sep 21, 2020

merge CVE from 2.9 branch(ad5a63017) #2858

Merged

joschi mentioned this issue Nov 11, 2020

Upgrade to Jackson 2.9.10.6 dropwizard/metrics#1708

Merged

tkanafa-atlassian added a commit to atlassian/jackson-1 that referenced this issue Apr 20, 2021

MNSTR-5023 backport security fix from jackson2

b9fc2f5

Merged from FasterXML/jackson-databind#2826 FasterXML/jackson-databind#2827

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Block one more gadget type (org.arrahtec:profiler-core, CVE-xxxx-xxx) #2827

Block one more gadget type (org.arrahtec:profiler-core, CVE-xxxx-xxx) #2827

cowtowncoder commented Aug 22, 2020 •

edited

Loading

bad-boy1 commented Aug 28, 2020

cowtowncoder commented Aug 28, 2020

Block one more gadget type (org.arrahtec:profiler-core, CVE-xxxx-xxx) #2827

Block one more gadget type (org.arrahtec:profiler-core, CVE-xxxx-xxx) #2827

Comments

cowtowncoder commented Aug 22, 2020 • edited Loading

bad-boy1 commented Aug 28, 2020

cowtowncoder commented Aug 28, 2020

cowtowncoder commented Aug 22, 2020 •

edited

Loading