Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Block one more gadget type (ehcache, CVE-2019-14379) #2387

Closed
Heartway opened this issue Jul 23, 2019 · 4 comments
Closed

Block one more gadget type (ehcache, CVE-2019-14379) #2387

Heartway opened this issue Jul 23, 2019 · 4 comments
Labels
CVE Issues related to public CVEs (security vuln reports)
Milestone

Comments

@Heartway
Copy link

Heartway commented Jul 23, 2019

Another gadget type reported regarding a class of ehcache package.
See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.


Fixed in:

  • 2.9.10
  • 2.8.11.4
  • 2.7.9.6
  • 2.6.7.3
@cowtowncoder
Copy link
Member

cowtowncoder commented Jul 24, 2019

Thank you; I'll have a look later tonight.
(mental note: this is the one about ehcache -- need to file another one)

@cowtowncoder cowtowncoder added ACTIVE CVE Issues related to public CVEs (security vuln reports) labels Jul 24, 2019
cowtowncoder added a commit that referenced this issue Jul 26, 2019
@jdelta-RBS
Copy link

This was assigned CVE-2019-14379

@jdelta-RBS
Copy link

jdelta-RBS commented Jul 29, 2019

@cowtowncoder CVE lists 2.9.9.2 as fixing, 2.9.9.1 as affected... would this also affect 2.7.9.5 and 2.8.11.3, with 2.7.9.6 and 2.8.11.4 as fixing versions?

@cowtowncoder cowtowncoder changed the title A new gadgets to exploit default typing issue in jackson-databind Block one more gadget type (CVE-2019-14379) Jul 29, 2019
@cowtowncoder
Copy link
Member

@jdelta-RBS correct, I backported this to 2.7 and 2.8, released one last micro-patch (will now close those branches). Will add a note on description here.

@cowtowncoder cowtowncoder added this to the 2.9.9.2 milestone Jul 30, 2019
@cowtowncoder cowtowncoder changed the title Block one more gadget type (CVE-2019-14379) Block one more gadget type (ehcache, CVE-2019-14379) Jul 30, 2019
ind1go added a commit to ind1go/cics-bundle-maven that referenced this issue Aug 3, 2019
scottfrederick pushed a commit to spring-cloud/spring-cloud-connectors that referenced this issue Aug 5, 2019
Updated jackson-databind version to 2.9.9.2 which contains fix for:
- [CVE-2019-14379](FasterXML/jackson-databind#2387)
- [CVE-2019-14361 / CVE-2019-14439](FasterXML/jackson-databind#2389)
odl-github pushed a commit to opendaylight/odlparent that referenced this issue Aug 14, 2019
See FasterXML/jackson-databind#2387 for
details.

Change-Id: I3a8a416bba7e72861512531a3a83d818daf6fd5f
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Signed-off-by: Robert Varga <robert.varga@pantheon.tech>
odl-github pushed a commit to opendaylight/odlparent that referenced this issue Aug 14, 2019
See FasterXML/jackson-databind#2387 for
details.

Change-Id: I3a8a416bba7e72861512531a3a83d818daf6fd5f
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Signed-off-by: Robert Varga <robert.varga@pantheon.tech>
odl-github pushed a commit to opendaylight/odlparent that referenced this issue Aug 14, 2019
See FasterXML/jackson-databind#2387 for
details.

Change-Id: I3a8a416bba7e72861512531a3a83d818daf6fd5f
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Signed-off-by: Robert Varga <robert.varga@pantheon.tech>
odl-github pushed a commit to opendaylight/odlparent that referenced this issue Aug 14, 2019
See FasterXML/jackson-databind#2387 for
details.

Change-Id: I3a8a416bba7e72861512531a3a83d818daf6fd5f
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Signed-off-by: Robert Varga <robert.varga@pantheon.tech>
cfieber added a commit to cfieber/kork that referenced this issue Sep 4, 2019
the updated bom bumps jackson-databind from 2.9.9 -> 2.9.9.3

see FasterXML/jackson-databind#2387
cfieber added a commit to spinnaker/kork that referenced this issue Sep 4, 2019
the updated bom bumps jackson-databind from 2.9.9 -> 2.9.9.3

see FasterXML/jackson-databind#2387
ablekhman added a commit to atlassian/jackson-1 that referenced this issue Oct 23, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
CVE Issues related to public CVEs (security vuln reports)
Projects
None yet
Development

No branches or pull requests

3 participants