Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Block one more gadget type (ehcache, CVE-2019-14379) #2387

Closed
Heartway opened this issue Jul 23, 2019 · 4 comments
Closed

Block one more gadget type (ehcache, CVE-2019-14379) #2387

Heartway opened this issue Jul 23, 2019 · 4 comments
Labels
CVE Issues related to public CVEs (security vuln reports)
Milestone
2.9.9.2

Comments

@Heartway
Copy link

Heartway commented Jul 23, 2019
edited by cowtowncoder
Loading

Another gadget type reported regarding a class of ehcache package.
See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.

Fixed in:

  • 2.9.10
  • 2.8.11.4
  • 2.7.9.6
  • 2.6.7.3
@cowtowncoder
Copy link
Member

cowtowncoder commented Jul 24, 2019
edited
Loading

Thank you; I'll have a look later tonight.
(mental note: this is the one about ehcache -- need to file another one)

@cowtowncoder cowtowncoder added ACTIVE CVE Issues related to public CVEs (security vuln reports) labels Jul 24, 2019
cowtowncoder added a commit that referenced this issue Jul 26, 2019
@cowtowncoder
Backport #2387, #2389 fixes
ad418ee
@jdelta-RBS
Copy link

This was assigned CVE-2019-14379

@jdelta-RBS
Copy link

jdelta-RBS commented Jul 29, 2019
edited
Loading

@cowtowncoder CVE lists 2.9.9.2 as fixing, 2.9.9.1 as affected... would this also affect 2.7.9.5 and 2.8.11.3, with 2.7.9.6 and 2.8.11.4 as fixing versions?

@cowtowncoder cowtowncoder changed the title A new gadgets to exploit default typing issue in jackson-databind Block one more gadget type (CVE-2019-14379) Jul 29, 2019
@cowtowncoder
Copy link
Member

@jdelta-RBS correct, I backported this to 2.7 and 2.8, released one last micro-patch (will now close those branches). Will add a note on description here.

@cowtowncoder cowtowncoder added this to the 2.9.9.2 milestone Jul 30, 2019
@cowtowncoder cowtowncoder changed the title Block one more gadget type (CVE-2019-14379) Block one more gadget type (ehcache, CVE-2019-14379) Jul 30, 2019
@jalmoreno jalmoreno mentioned this issue Aug 1, 2019
Merged
@mibo mibo mentioned this issue Aug 2, 2019
Merged
ind1go added a commit to ind1go/cics-bundle-maven that referenced this issue Aug 3, 2019
@ind1go
Update dependency to avoid jackson-databind CVEs
5c87837 
Avoids CVE-2019-14379 FasterXML/jackson-databind#2387
Avoids CVE-2019-14439 FasterXML/jackson-databind#2389

Signed-off-by: Ben Cox <[email protected]>
based2 added a commit to based2/checker-maven-plugin that referenced this issue Aug 3, 2019
@based2
fix jackson-databind to 2.9.9.2 CVE-2019-14379
193d094 
FasterXML/jackson-databind#2387
https://issues.apache.org/jira/browse/BEAM-7880

FasterXML/jackson-databind#2395
scottfrederick pushed a commit to spring-cloud/spring-cloud-connectors that referenced this issue Aug 5, 2019
@mibo @scottfrederick
Updated jackson-databind version to 2.9.9.2
94dff58 
Updated jackson-databind version to 2.9.9.2 which contains fix for:
- [CVE-2019-14379](FasterXML/jackson-databind#2387)
- [CVE-2019-14361 / CVE-2019-14439](FasterXML/jackson-databind#2389)
@swalker125 swalker125 mentioned this issue Aug 6, 2019
Merged
@AnEmortalKid AnEmortalKid mentioned this issue Aug 6, 2019
Closed
@ghost ghost mentioned this issue Aug 8, 2019
Closed
marco-schmidt added a commit to marco-schmidt/am that referenced this issue Aug 10, 2019
@marco-schmidt
upgrade dependency to fix security issue CVE-2019-14379
6c0cd8d 
FasterXML/jackson-databind#2387
odl-github pushed a commit to opendaylight/odlparent that referenced this issue Aug 14, 2019
@skitt @rovarga
Upgrade jackson-databind for CVE-2019-14379
d59a6f7 
See FasterXML/jackson-databind#2387 for
details.

Change-Id: I3a8a416bba7e72861512531a3a83d818daf6fd5f
Signed-off-by: Stephen Kitt <[email protected]>
Signed-off-by: Robert Varga <[email protected]>
odl-github pushed a commit to opendaylight/odlparent that referenced this issue Aug 14, 2019
@rovarga
Upgrade jackson-databind for CVE-2019-14379
c242f8c 
See FasterXML/jackson-databind#2387 for
details.

Change-Id: I3a8a416bba7e72861512531a3a83d818daf6fd5f
Signed-off-by: Stephen Kitt <[email protected]>
Signed-off-by: Robert Varga <[email protected]>
odl-github pushed a commit to opendaylight/odlparent that referenced this issue Aug 14, 2019
@skitt @rovarga
Upgrade jackson-databind for CVE-2019-14379
5bb7f86 
See FasterXML/jackson-databind#2387 for
details.

Change-Id: I3a8a416bba7e72861512531a3a83d818daf6fd5f
Signed-off-by: Stephen Kitt <[email protected]>
Signed-off-by: Robert Varga <[email protected]>
odl-github pushed a commit to opendaylight/odlparent that referenced this issue Aug 14, 2019
@skitt @rovarga
Upgrade jackson-databind for CVE-2019-14379
4310d65 
See FasterXML/jackson-databind#2387 for
details.

Change-Id: I3a8a416bba7e72861512531a3a83d818daf6fd5f
Signed-off-by: Stephen Kitt <[email protected]>
Signed-off-by: Robert Varga <[email protected]>
cfieber added a commit to cfieber/kork that referenced this issue Sep 4, 2019
@cfieber
fix(vuln): upgrade jackson for CVE remediation
0983217 
the updated bom bumps jackson-databind from 2.9.9 -> 2.9.9.3

see FasterXML/jackson-databind#2387
@cfieber cfieber mentioned this issue Sep 4, 2019
Merged
cfieber added a commit to spinnaker/kork that referenced this issue Sep 4, 2019
@cfieber
fix(vuln): upgrade jackson for CVE remediation (#375)
8fe5654 
the updated bom bumps jackson-databind from 2.9.9 -> 2.9.9.3

see FasterXML/jackson-databind#2387
@mprins mprins mentioned this issue Sep 6, 2019
Closed
@lufeirider lufeirider mentioned this issue Sep 20, 2019
Closed
asereda-gs added a commit to immutables/immutables that referenced this issue Sep 20, 2019
@asereda-gs
Upgrade jackson databind 2.8.11.3 -> 2.8.11.4 because of security vul…
9ea18d6 
…nerabilities

FasterXML/jackson-databind#2326: Block class for CVE-2019-12086
FasterXML/jackson-databind#2334: Block class for CVE-2019-12384
FasterXML/jackson-databind#2341: Block class for CVE-2019-12814
FasterXML/jackson-databind#2387: Block class for CVE-2019-14379
FasterXML/jackson-databind#2389: Block class for CVE-2019-14439
ablekhman added a commit to atlassian/jackson-1 that referenced this issue Oct 23, 2019
@ablekhman
Block one more gadget type (ehcache, CVE-2019-14379)
7a6d5d3 
Merged from FasterXML/jackson-databind#2387
@UltramanGaia UltramanGaia mentioned this issue Oct 24, 2019
Closed
@janrieke janrieke mentioned this issue May 24, 2020
Open
Merged
4 tasks
@padma81 padma81 mentioned this issue Jul 28, 2020
Closed
@sijie sijie mentioned this issue Jul 28, 2020
Open
This was referenced May 10, 2022
Open
Open
@scott-cx scott-cx mentioned this issue Aug 1, 2022
Open
@cxronen cxronen mentioned this issue Sep 20, 2022
Open
@margaritalm margaritalm mentioned this issue Dec 25, 2022
Open
This was referenced Feb 15, 2023
Open
Open
@cxronen cxronen mentioned this issue May 25, 2023
Open
@stschott stschott mentioned this issue Sep 23, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CVE Issues related to public CVEs (security vuln reports)
Projects
None yet
Milestone
2.9.9.2
Development

No branches or pull requests
3 participants
@cowtowncoder @Heartway @jdelta-RBS