You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Abhishek Singh (Jira)" <ji...@apache.org> on 2019/11/13 05:13:00 UTC
[jira] [Created] (CASSANDRA-15416) CVE-2017-7525 ( jackson-databind
is vulnerable to Remote Code Execution) on version 3.11.4
Abhishek Singh created CASSANDRA-15416:
------------------------------------------
Summary: CVE-2017-7525 ( jackson-databind is vulnerable to Remote Code Execution) on version 3.11.4
Key: CASSANDRA-15416
URL: https://issues.apache.org/jira/browse/CASSANDRA-15416
Project: Cassandra
Issue Type: Bug
Reporter: Abhishek Singh
*Description :*
*Severity :* CVE CVSS 2.0: 7.5Sonatype CVSS 3: 8.5
*Weakness :* CVE CWE: 502
*Source :* National Vulnerability Database
*Categories :* Data
*Description from CVE :* A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
*Explanation :* jackson-databind is vulnerable to Remote Code Execution [RCE]. The createBeanDeserializer[] function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.
NOTE: This vulnerability is also tracked by the Apache Struts team as S2-055.
*Detection :* The application is vulnerable by using this component, when default typing is enabled.
Note: Spring Security has provided their own fix for this vulnerability [CVE-2017-4995]. If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x.
*Recommendation :* : As of version 2.10.0, Jackson now provides a safe default typing solution that fully mitigates this vulnerability.
Reference: [https://medium.com/@cowtowncoder/jackson-2-10-features-cd880674d8a2]
In order to mitigate this vulnerability, we recommend upgrading to at least version 2.10.0 and changing any usages of enableDefaultTyping[] to activateDefaultTyping[].
Alternatively, if upgrading is not a viable option, this vulnerability can be mitigated by disabling default typing. Instead, you will need to implement your own:
It is also possible to customize global defaulting, using ObjectMapper.setDefaultTyping[...] – you just have to implement your own TypeResolverBuilder [which is not very difficult]; and by doing so, can actually configure all aspects of type information. Builder itself is just a short-cut for building actual handlers.
Reference: [https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization]
Examples of implementing your own typing can be found by looking at this Stack Overflow article.
*Root Cause :* apache-cassandra-3.11.4-bin.tar.gzorg/codehaus/jackson/map/deser/BeanDeserializerFactory.class : [0.9.8, ]
*Advisories :* Project: [https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7525]
*CVSS Details :* CVE CVSS 2.0: 7.5CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
*Occurences (Paths) :* ["apache-cassandra.zip" ; "apache-cassandra.zip"]
*CVE :* CVE-2017-7525
*URL :* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7525]
*Remediation :* This component does not have any non-vulnerable Version. Please contact the vendor to get this vulnerability fixed.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org