CVE-2019-10202

[lafual]

Hi,

My company's IT Security has implemented a vulnerability checker. Unfortunately I do not know what this software is. They haven't revealed the name.

However, it is blocking Jackson-databind-2.10.3 with the following issue. https://nvd.nist.gov/vuln/detail/CVE-2019-10202

Is 2.10.3 really vulnerable? The above link does refer to this package in name, but does the link above actually indicate which version is vulnerable?

[cowtowncoder]

This problem has not been reported to Jackson maintainers directly, so I do not know exact details of the alleged vulnerability. However, from description that only mentions Jackson 1.x it looks like it might be a backport of some reported vulns for Jackson 2.x; latter of which would be fixed for 2.x

So: as of now I do not think this is relevant for Jackson 2.x until someone proves otherwise.

Worth noting, too, is that none of polymorphic deserialization vulns/CVEs reported against 2.x are applicable beyond 2.9.x -- 2.10.0 and later are not considered affected as per CVE definition (attacks can not be used with Jackson usage with default configuration: user will have to enable specific handling using deprecated methods).

I hope this helps. For more information, whoever filed the issue would need to share more information.

[cowtowncoder]

I went ahead and dug up references to Jackson 2.x issues via CVE ids matched. Here's the list, along with versions fixed (all but one are against jackson-databind; one, as noted, is for (https://github.com/FasterXML/jackson-modules-java8/) module jackson-datatype-jsr310 (java 8 date/time):

• CVE-2017-17485: Block more serialization gadgets (dbcp/tomcat, spring / CVE-2017-17485) #1855 (fixed in 2.9.4)
• CVE-2017-7525: Jackson Deserializer security vulnerability via default typing (CVE-2017-7525) #1599 (fixed in 2.9.0)
• CVE-2017-15095: Block more JDK types from polymorphic deserialization (CVE 2017-15095) #1737 (fixed in 2.9.1)
• CVE-2018-5968: Another two gadgets to exploit default typing issue in jackson-databind (CVE-2018-5968) #1899 (fixed in 2.9.4)
• CVE-2018-7489: Block two more gadgets to exploit default typing issue (c3p0, CVE-2018-7489) #1931 (fixed in 2.9.5)
• CVE-2018-1000873: Performance issue with malicious BigDecimal input, InstantDeserializer, DurationDeserializer (CVE-2018-1000873) jackson-modules-java8#90 (not databind) (fixed in 2.9.8)
• CVE-2019-12086: Block one more gadget type (mysql, CVE-2019-12086) #2326 (fixed in 2.9.9)

note: fixes are in many cases backported to earlier 2.8 micro-patches, but I include 2.9.x fixes as the primary ones -- none affects 2.10.0 or later versions.

I do not know how to help with security scanners but perhaps you can pass on this issue. Like I said, people who filed the cve id request did not contact me or anyone from Jackson dev team (as far as I know), so I don't really know a good way to pass this information.
But creation of this ticket should make it easier to surface connections as necessary.

I did also add CVE ids in some places where they were missing in Jackson release notes: often times actual id is allocated after issue itself has been fixed (since disclosure timing should ideally occur after release of a fixed-in version)

[lafual]

Wow what an answer 💯 Thank you for taking the time to give me such comprehensive feedback 🥇

[cowtowncoder]

@lafual np. I figured that it is likely you would not be the only user who ends up asking this question -- security tools are unfortunately black boxes often, and the real world situation with patches is a tangled mess. On plus side, I was able to fill in some blanks in release notes too. :)

Also... interesting. Did not realize Github has auto-linking for CVE ids. Neat.