Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Block one more gadget type (logback, CVE-2019-12384)
See original GitHub issueA new gadget type (see https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062) was reported, and CVE id allocated was CVE-2019-12384.
CVE description is available at: https://nvd.nist.gov/vuln/detail/CVE-2019-12384 for full details, but the specific variation (in addition to needing “default typing”, attacker being able to craft specific json message) is that:
- If service has jar
logback-classicin its classpath
vulnerability applies.
Fixed in:
- 2.9.10
- 2.8.11.4
- 2.7.9.6
- 2.6.7.3
Issue Analytics
- State:
- Created 4 years ago
- Comments:10 (6 by maintainers)
Top Results From Across the Web
CVE-2019-12384 jackson-databind - Red Hat Bugzilla
9. The vulnerability would permit polymorphic deserialization of malicious objects using the logback-core gadget when used in conjunction with polymorphic type ...
Read more >Deserialization of Untrusted Data in com.fasterxml.jackson ...
An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized. 2. Polymorphic type handling for ...
Read more >CVE-2019-12384 Detail - NVD
This vulnerability has been modified since it was last analyzed by the ... to block the logback-core class from polymorphic deserialization.
Read more >Security Bulletin: Multiple vulnerabilities in Data-Binding ... - IBM
By sending specially-crafted input, an attacker could exploit this ... to block the logback-core class from polymorphic deserialization.
Read more >Jackson gadgets - Anatomy of a vulnerability - Doyensec's Blog
Jackson CVE-2019-12384: anatomy of a vulnerability class ... a version of Jackson that does not (yet) block the specific “gadget” class.
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Release 2.9.9.1 in-progress.
@cowtowncoder Are you planning on releasing a 2.9.9.1 for the
jackson-bomartifact containing thisjackson-databindrelease? Thanks