jackson-databind: CVE-2019-12086

Debian Bug report logs - #929177
jackson-databind: CVE-2019-12086

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: submit@bugs.debian.org

Subject: jackson-databind: CVE-2019-12086

Date: Sat, 18 May 2019 18:46:03 +0200

[Message part 1 (text/plain, inline)]

Package: jackson-databind
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

I will take care of this one myself.

The following vulnerability was published for jackson-databind.

CVE-2019-12086[0]:
| A Polymorphic Typing issue was discovered in FasterXML jackson-
| databind 2.x before 2.9.9. When Default Typing is enabled (either
| globally or for a specific property) for an externally exposed JSON
| endpoint, the service has the mysql-connector-java jar (8.0.14 or
| earlier) in the classpath, and an attacker can host a crafted MySQL
| server reachable by the victim, an attacker can send a crafted JSON
| message that allows them to read arbitrary local files on the server.
| This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin
| validation.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-12086
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086

Please adjust the affected versions in the BTS as needed.

[signature.asc (application/pgp-signature, attachment)]

Message #10 received at 929177-close@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: 929177-close@bugs.debian.org

Subject: Bug#929177: fixed in jackson-databind 2.9.8-2

Date: Sat, 18 May 2019 19:03:25 +0000

Source: jackson-databind
Source-Version: 2.9.8-2

We believe that the bug you reported is fixed in the latest version of
jackson-databind, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 929177@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated jackson-databind package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 18 May 2019 20:31:28 +0200
Source: jackson-databind
Architecture: source
Version: 2.9.8-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Closes: 929177
Changes:
 jackson-databind (2.9.8-2) unstable; urgency=medium
 .
   * Team upload.
   * Fix CVE-2019-12086:
     A Polymorphic Typing issue was discovered in jackson-databind. When
     Default Typing is enabled (either globally or for a specific property) for
     an externally exposed JSON endpoint, the service has the
     mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an
     attacker can host a crafted MySQL server reachable by the victim, an
     attacker can send a crafted JSON message that allows them to read arbitrary
     local files on the server. This occurs because of missing
     com.mysql.cj.jdbc.admin.MiniAdmin validation. (Closes: #929177)
Checksums-Sha1:
 c13dc3920b11e340e9081f4c8df29cff6e911872 2679 jackson-databind_2.9.8-2.dsc
 8a50b57f35f4c0be11e86bfce69f165db7c5dce5 5216 jackson-databind_2.9.8-2.debian.tar.xz
 a9932dfc1be864be25c7cba97db94ac17dc2cb60 17509 jackson-databind_2.9.8-2_amd64.buildinfo
Checksums-Sha256:
 9278bb6b692204a40ad3883dac8b6824a74ea4d2424879bc06f1e58a005413c2 2679 jackson-databind_2.9.8-2.dsc
 f0a081e41a648b4a1758b104445138de7a4811a24a894cee225359ae15cfd4cf 5216 jackson-databind_2.9.8-2.debian.tar.xz
 701ac7a7394abf4b6ea06dc77a589251778aa13ff79e6df02f61691410da954f 17509 jackson-databind_2.9.8-2_amd64.buildinfo
Files:
 db750732df8f06d27c2c6593a2e4e7c8 2679 java optional jackson-databind_2.9.8-2.dsc
 8527c10639efc53df67d75d5d9c28a9f 5216 java optional jackson-databind_2.9.8-2.debian.tar.xz
 a7e1b5b95bb766498b794e907c63d3dd 17509 java optional jackson-databind_2.9.8-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlzgUeBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkTScP/0Z7ardXVY2FCIvWX7RKwnjw4565uv8LittD
6SCxAeT8x6TZohXwUmO21is0fFvuOh/h4msuAZ1CKc9tJK+jYgW6LbHBDh46rGO0
hIQDnqOE9bl9uKK1iaCBGyKf54/xtZlun93NOotfyD544gzN1Bo8ZDeOqvIOewkI
Pz0PAPAlhWBUcyRs9Owo6WijmHntGTtjAPgnnLA7MBPzAhKaqAWOBnuktnGvo1rB
UOb5QQLS2LVdUsVdpY0oZGvdefhNKU+JMpck0HUG6YKL4yXm7MI5e/UQPYt+uKSw
8s/T0728DUtzyhi58Iae8Zet6SVhDf1+jiprLyeGurB6ztXPTLB7t7ldTUrNvSp+
gQFU03Zvdc/LAxMSghUroeNOC2JiK7TARlhWvNkSYuOZe8e0y+P7Pf8z7QntAYtA
DyRO23+hJ7NfO3Ac6ELS3AtwOxoCFnlusJUp3HobfwALiXyO7vm7HsHw3qJPDWgw
WEbfo3pPnYdglEOOjTkWcxvQzHsWu6I2IwmhjPuCIM+pZArt6f7e3V+A4IFfN2SU
Q4QaEa8ZxnWglkxlIMKdyudFV2/YoXaaAVwNBwNAtXUbr3Inmat8eap8niDr3B9S
55KpRJ8vZIQHdEOIFplgKQDNbxRJytfCkaFyvBwCz1WDEbMKza+JPoj36MFYpyiZ
omUTjkPh
=CgSw
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.