| Summary: | jackson-databind new security issues CVE-2020-36518 and CVE-2022-4200[34] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, nicolas.salguero, sysadmin-bugs, tarazed25 |
| Version: | 9 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA9-64-OK | ||
| Source RPM: | jackson-databind-2.11.4-2.mga9.src.rpm | CVE: | CVE-2020-36518, CVE-2022-42003, CVE-2022-42004 |
| Status comment: | |||
| Attachments: | script to exercise jackson-dataformat | ||
|
Description
David Walser
2022-05-03 17:24:02 CEST
David Walser
2022-05-03 17:24:37 CEST
Status comment:
(none) =>
Fixed upstream in 2.13.0 SUSE has issued an advisory for this today (May 16): https://lists.suse.com/pipermail/sle-security-updates/2022-May/011022.html Equivalent openSUSE advisory: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WTX6HAJ7KVGVZQ6APMA35RM7R7BKVSMB/ SUSE has issued an advisory on November 15: https://lists.suse.com/pipermail/sle-security-updates/2022-November/012934.html The issues are fixed upstream in 2.14.0-rc1. Mageia 8 is also affected. Status comment:
Fixed upstream in 2.13.0 =>
Fixed upstream in 2.14.0-rc1 (In reply to David Walser from comment #3) > SUSE has issued an advisory on November 15: > https://lists.suse.com/pipermail/sle-security-updates/2022-November/012934. > html > > The issues are fixed upstream in 2.14.0-rc1. > > Mageia 8 is also affected. Equivalent openSUSE advisory: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3IQ2OJSME4FMTGEF2CROURE4WDT3DEVB/ Debian has issued an advisory for this on November 17: https://www.debian.org/security/2022/dsa-5283 Debian-LTS has issued an advisory for this on November 27: https://www.debian.org/lts/security/2022/dla-3207 RedHat has issued an advisory for CVE-2020-36518 today (May 9): https://access.redhat.com/errata/RHSA-2023:2312
Nicolas Salguero
2024-03-13 14:25:46 CET
Whiteboard:
MGA8TOO =>
(none) Suggested advisory: ======================== The updated packages fix security vulnerabilities: jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. (CVE-2020-36518) In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. (CVE-2022-42003) In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization. (CVE-2022-42004) References: https://www.debian.org/lts/security/2022/dla-2990 https://lists.suse.com/pipermail/sle-security-updates/2022-May/011022.html https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WTX6HAJ7KVGVZQ6APMA35RM7R7BKVSMB/ https://lists.suse.com/pipermail/sle-security-updates/2022-November/012934.html https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3IQ2OJSME4FMTGEF2CROURE4WDT3DEVB/ https://www.debian.org/security/2022/dsa-5283 https://www.debian.org/lts/security/2022/dla-3207 https://access.redhat.com/errata/RHSA-2023:2312 ======================== Updated packages in core/updates_testing: ======================== jackson-databind-2.11.4-2.1.mga9 jackson-databind-javadoc-2.11.4-2.1.mga9 from SRPM: jackson-databind-2.11.4-2.1.mga9.src.rpm Assignee:
java =>
qa-bugs Created attachment 14461 [details]
script to exercise jackson-dataformat
From gitHub with annotations from Frank Griffin and Martin Whitaker.CC:
(none) =>
tarazed25 mageia9, x64
Looked at /usr/share/java/
Tried `java -jar jackson-databind.jar` but that does not run withoutinfrastructure of some kind. Out of my depth there.
$ java -jar /usr/share/java/jackson-databind.jar
no main manifest attribute, in /usr/share/java/jackson-databind.jar
Looked for PoC without success.
Found a script in my qa tree under jackson, attached here.
$ javac -cp ".:/usr/share/java/*" SimpleTest.java
SimpleTest.java:10: error: package com.fasterxml.jackson.dataformat.xml does not exist
import com.fasterxml.jackson.dataformat.xml.*;
^
SimpleTest.java:33: error: cannot find symbol
ObjectMapper xmlMapper = new XmlMapper();
^
symbol: class XmlMapper
location: class SimpleTest
2 errors
It appears that the previous attempt in 2016 was more successful because there is a file in the same directory called Simple.class compiled from Simple.java using SimpleTest.java. A lot may have changed in eight years so the code could be out of date.
Updated the two packages.
The simple test still fails. I am hesitant about pushing this without an expert examining the error messages to eliminate build problems.
katnatek
2024-03-16 01:59:33 CET
Keywords:
(none) =>
advisory VM mageia 9 x86_64
Install current version, update to testing version and unisntall
LC_ALL=C urpmi jackson-databind jackson-databind-javadoc
To satisfy dependencies, the following packages are going to be installed:
Package Version Release Arch
(medium "Core Release")
jackson-annotations 2.11.4 2.mga9 noarch
jackson-core 2.11.4 2.mga9 noarch
jackson-databind 2.11.4 2.mga9 noarch
jackson-databind-javadoc 2.11.4 2.mga9 noarch
45MB of additional disk space will be used.
3.4MB of packages will be retrieved.
Proceed with the installation of the 4 packages? (Y/n) y
https://mirrors.kernel.org/mageia/distrib/9/x86_64/media/core/release/jackson-core-2.11.4-2.mga9.noarch.rpm
https://mirrors.kernel.org/mageia/distrib/9/x86_64/media/core/release/jackson-databind-javadoc-2.11.4-2.mga9.noarch.rpm
https://mirrors.kernel.org/mageia/distrib/9/x86_64/media/core/release/jackson-annotations-2.11.4-2.mga9.noarch.rpm
https://mirrors.kernel.org/mageia/distrib/9/x86_64/media/core/release/jackson-databind-2.11.4-2.mga9.noarch.rpm
installing jackson-databind-2.11.4-2.mga9.noarch.rpm jackson-annotations-2.11.4-2.mga9.noarch.rpm jackson-databind-javadoc-2.11.4-2.mga9.noarch.rpm jackson-core-2.11.4-2.mga9.noarch.rpm from /var/cache/urpmi/rpms
Preparing... ###########################################################################################
1/4: jackson-core ###########################################################################################
2/4: jackson-annotations ###########################################################################################
3/4: jackson-databind ###########################################################################################
4/4: jackson-databind-javadoc
###########################################################################################
LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release" is up-to-date
https://mirrors.kernel.org/mageia/distrib/9/x86_64/media/core/updates/media_info/20240316-013725-synthesis.hdlist.cz
updated medium "Core Updates"
medium "Nonfree Release" is up-to-date
medium "Nonfree Updates" is up-to-date
medium "Tainted Release" is up-to-date
medium "Tainted Updates" is up-to-date
installing jackson-databind-2.11.4-2.1.mga9.noarch.rpm jackson-databind-javadoc-2.11.4-2.1.mga9.noarch.rpm from //home/qateam/qa-testing/x86_64
Preparing... ###########################################################################################
1/2: jackson-databind-javadoc
###########################################################################################
2/2: jackson-databind ###########################################################################################
1/2: removing jackson-databind-javadoc-2.11.4-2.mga9.noarch
###########################################################################################
2/2: removing jackson-databind-2.11.4-2.mga9.noarch
###########################################################################################
[root@localhost ~]# LC_ALL=C urpme $(rpm -qa|grep jackson-databind)
removing jackson-databind-2.11.4-2.1.mga9.noarch jackson-databind-javadoc-2.11.4-2.1.mga9.noarch
removing package jackson-databind-2.11.4-2.1.mga9.noarch
1/2: removing jackson-databind-2.11.4-2.1.mga9.noarch
###########################################################################################
removing package jackson-databind-javadoc-2.11.4-2.1.mga9.noarch
2/2: removing jackson-databind-javadoc-2.11.4-2.1.mga9.noarch
###########################################################################################
writing /var/lib/rpm/installed-through-deps.list
The following packages:
glibc-devel-2.36-52.mga9.x86_64
jackson-annotations-2.11.4-2.mga9.noarch
jackson-core-2.11.4-2.mga9.noarch
kernel-userspace-headers-6.6.18-1.mga9.x86_64
lib64xcrypt-devel-4.4.33-3.mga9.x86_64
are now orphaned, if you wish to remove them, you can use "urpme --auto-orphans"
LC_ALL=C urpme --auto-orphans --auto
removing glibc-devel-2.36-52.mga9.x86_64 jackson-annotations-2.11.4-2.mga9.noarch jackson-core-2.11.4-2.mga9.noarch kernel-userspace-headers-6.6.18-1.mga9.x86_64 lib64xcrypt-devel-4.4.33-3.mga9.x86_64
removing package glibc-devel-6:2.36-52.mga9.x86_64
1/5: removing glibc-devel-6:2.36-52.mga9.x86_64
###########################################################################################
removing package lib64xcrypt-devel-4.4.33-3.mga9.x86_64
2/5: removing lib64xcrypt-devel-4.4.33-3.mga9.x86_64
###########################################################################################
removing package kernel-userspace-headers-6.6.18-1.mga9.x86_64
3/5: removing kernel-userspace-headers-6.6.18-1.mga9.x86_64
###########################################################################################
removing package jackson-core-2.11.4-2.mga9.noarch
4/5: removing jackson-core-2.11.4-2.mga9.noarch
###########################################################################################
removing package jackson-annotations-2.11.4-2.mga9.noarch
5/5: removing jackson-annotations-2.11.4-2.mga9.noarch
###########################################################################################
katnatek
2024-03-16 04:41:51 CET
CC:
(none) =>
andrewsfarm Previous rounds https://bugs.mageia.org/show_bug.cgi?id=25266 were validated in base of clean install Let me know if I made a mistake. CC:
(none) =>
sysadmin-bugs (In reply to katnatek in comment 12) Not a mistake; a decision which we often have to make when we reach a dead end. An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0069.html Resolution:
(none) =>
FIXED |