You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@beam.apache.org by "Joel Cain (Jira)" <ji...@apache.org> on 2021/07/29 09:43:00 UTC
[jira] [Updated] (BEAM-12679) Critical issues are being pulled in
by 2 of Beams dependencies
[ https://issues.apache.org/jira/browse/BEAM-12679?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Joel Cain updated BEAM-12679:
-----------------------------
Description:
Vulnerabilities are being detected by scans of images using Twistlock security service.
Vulnerabilities:
1. org.apache.logging.log4j_log4j-api version 2.6.2 has 2 vulnerabilities (1 critical)
Main issue description: In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
This issue is fixed in version 2.8.2
2. com.fasterxml.jackson.core_jackson-databind version 2.9.8 has 49 vulnerabilities (14 critical)
Example issue description: A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
All issues resolved in versions starting 2.9.10.4
was:
Vulnerabilities are being detected by scans of images using Twistlock security service.
Vulnerabilities:
1. org.apache.logging.log4j_log4j-api version 2.6.2 has 2 vulnerabilities (1 critical)
Main issue description: In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
This issue is fixed in version 2.8.2
2. com.fasterxml.jackson.core_jackson-databind version 2.9.8 has 49 vulnerabilities (14 critical)
Example issue description: A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
All issues resolved in versions after 2.9.10.4
> Critical issues are being pulled in by 2 of Beams dependencies
> --------------------------------------------------------------
>
> Key: BEAM-12679
> URL: https://issues.apache.org/jira/browse/BEAM-12679
> Project: Beam
> Issue Type: Bug
> Components: dependencies
> Reporter: Joel Cain
> Priority: P2
>
> Vulnerabilities are being detected by scans of images using Twistlock security service.
> Vulnerabilities:
> 1. org.apache.logging.log4j_log4j-api version 2.6.2 has 2 vulnerabilities (1 critical)
>
> Main issue description: In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
>
> This issue is fixed in version 2.8.2
>
> 2. com.fasterxml.jackson.core_jackson-databind version 2.9.8 has 49 vulnerabilities (14 critical)
>
> Example issue description: A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
>
> All issues resolved in versions starting 2.9.10.4
--
This message was sent by Atlassian Jira
(v8.3.4#803005)