Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Block one more gadget type (cxf-jax-rs, no CVE allocated yet) #2420

Closed
cowtowncoder opened this issue Aug 9, 2019 · 7 comments
Closed

Block one more gadget type (cxf-jax-rs, no CVE allocated yet) #2420

cowtowncoder opened this issue Aug 9, 2019 · 7 comments
Labels
CVE Issues related to public CVEs (security vuln reports)
Milestone
2.9.10

Comments

@cowtowncoder
Copy link
Member

cowtowncoder commented Aug 9, 2019
edited
Loading

Similar to other Unbounded Polymorphic Type (default typing, usually) vulnerabilities, one was reported against CXF JAX-RS implementation. Details to be added once specific class added to deny-list.
See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.

Fixed in:

  • 2.9.10
  • 2.8.11.5
  • 2.6.7.3
  • does not affect 2.10.0 and later
@cowtowncoder cowtowncoder added 2.8 CVE Issues related to public CVEs (security vuln reports) labels Aug 9, 2019
cowtowncoder added a commit that referenced this issue Aug 9, 2019
@cowtowncoder
Fix #2410 #2420
d4983c7
@cowtowncoder cowtowncoder added this to the 2.9.10 milestone Aug 9, 2019
@cowtowncoder
Copy link
Member Author

Block added, will be included in:

  • 2.9.10
  • 2.10.0.pr2 (and final 2.10.0)

also backported in 2.8 branch but not sure if any more releases for 2.8 will be made.

@jdelta-RBS
Copy link

@cowtowncoder Assuming this affects 2.7.9.6, 2.8.11.4, and 2.9.9.3, correct?

@cowtowncoder
Copy link
Member Author

@jdelta-RBS Correct.

@yangqi1210
Copy link

@cowtowncoder Does this affect 2.9.9.2 ?

@jdelta-RBS
Copy link

@cowtowncoder Does this affect 2.9.9.2 ?

If 2.9.9.3 is affected, 2.9.9.2 is going to be as well.

@laszlovandenhoek laszlovandenhoek mentioned this issue Sep 6, 2019
Merged
@cowtowncoder cowtowncoder added 2.9 and removed 2.8 labels Sep 12, 2019
@cowtowncoder cowtowncoder changed the title Block one more gadget type (no CVE allocated yet) Block one more gadget type (cxf-jax-rs, no CVE allocated yet) Sep 21, 2019
@sseide sseide mentioned this issue Sep 27, 2019
Merged
2 tasks
ablekhman added a commit to atlassian/jackson-1 that referenced this issue Oct 23, 2019
@ablekhman
Block one more gadget type (cxf-jax-rs, no CVE allocated yet)
3b62b24 
Merged from FasterXML/jackson-databind#2420
@OwenMoriarty-JNJ
Copy link

What needs to happen for a CVE to be assigned?

@cowtowncoder
Copy link
Member Author

Someone needs to request id, or find an existing id that was requested and allocated.
I do not have plans to go with the request process at this point.

This was referenced May 10, 2022
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CVE Issues related to public CVEs (security vuln reports)
Projects
None yet
Milestone
2.9.10
Development

No branches or pull requests
4 participants
@cowtowncoder @yangqi1210 @jdelta-RBS @OwenMoriarty-JNJ