Block one more gadget type (mysql, CVE-2019-12086)

First of all: yes, that blog entry covers this CVE as well, there is nothing special (I’ll need to add more detail here).

Second: members of polymorphic types DO NOT automatically inherent polymorphic handling – so Object fields are not polymorphic by default unless either

1. default typing is enabled (for category that includes java.lang.Object), or
2. there is @JsonTypeInfo for that property

So neither of your cases is affected by any of these CVEs. In fact, even Test is fine unless there was a gadget class that extended this type (i.e. you managed to create a class that is subtype of Test and exposes a security vulnerability similar to types block-listed).

I hope this helps.

Hi @cowtowncoder,

I found this on the web https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 that seems written by you.

I am wondering if (3) under “What to do to Protect My System?” is also a valid protection against CVE-2019-12086. I assume it is. But I want to double check. If I read the description of the CVE (https://nvd.nist.gov/vuln/detail/CVE-2019-12086) it does not name (3) as a protection.

Also could you please tell me if classes with @JsonTypeInfo (or subclasses of them) with properties of type Object are affected if they are annotated with @JsonIgore? For example, would the following be vulnerable:

@JsonTypeInfo(...)
@JsonSubTypes(...)
class Test {
...
}

class SubTest extends Test {
   @JsonIgnore
   Object myObject
}

And my last question: would a class be vulnerable if the class does not have a property of type object directly but indirectly? I assume it is. But I want to double check. For example, would the following be vulnerable:

@JsonTypeInfo(...)
@JsonSubTypes(...)
class Test {
...
}

class SubTest extends Test {
   MyClass myClass;
}

class MyClass {
   Object test;
}