[
https://issues.apache.org/jira/browse/CASSANDRA-15416?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17420832#comment-17420832
]
Tatu Saloranta commented on CASSANDRA-15416:
--------------------------------------------
This falls under general polymorphic deserialization, explained here:
[https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062]
and as far as I know, Cassandra does not use polymorphic deserialization
anywhere (either with `@JsonTypeInfo` annotation on `Object`-valued property or
by enabling "Default Typing").
Note that `BeanDeserializerFactory` itself is used indirectly when
deserializing regular Java POJOs/Beans and is not called directly by app code
(that is, looking for references to it won't tell much about usage).
Having said that, the issue is resolved for 2.10 so CASSANDRA-16851 should
resolve this for 3.11 and 4.x.
> CVE-2017-7525 ( jackson-databind is vulnerable to Remote Code Execution) on
> version 3.11.4
> ------------------------------------------------------------------------------------------
>
> Key: CASSANDRA-15416
> URL: https://issues.apache.org/jira/browse/CASSANDRA-15416
> Project: Cassandra
> Issue Type: Bug
> Reporter: Abhishek Singh
> Priority: Normal
>
> *Description :*
> *Severity :* CVE CVSS 2.0: 7.5Sonatype CVSS 3: 8.5
> *Weakness :* CVE CWE: 502
> *Source :* National Vulnerability Database
> *Categories :* Data
> *Description from CVE :* A deserialization flaw was discovered in the
> jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could
> allow an unauthenticated user to perform code execution by sending the
> maliciously crafted input to the readValue method of the ObjectMapper.
> *Explanation :* jackson-databind is vulnerable to Remote Code Execution
> [RCE]. The createBeanDeserializer[] function in the BeanDeserializerFactory
> class allows untrusted Java objects to be deserialized. A remote attacker can
> exploit this by uploading a malicious serialized object that will result in
> RCE if the application attempts to deserialize it.
> NOTE: This vulnerability is also tracked by the Apache Struts team as S2-055.
> *Detection :* The application is vulnerable by using this component, when
> default typing is enabled.
> Note: Spring Security has provided their own fix for this vulnerability
> [CVE-2017-4995]. If this component is being used as part of Spring Security,
> then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE
> or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x.
> *Recommendation :* : As of version 2.10.0, Jackson now provides a safe
> default typing solution that fully mitigates this vulnerability.
> Reference:
> [https://medium.com/@cowtowncoder/jackson-2-10-features-cd880674d8a2]
> In order to mitigate this vulnerability, we recommend upgrading to at least
> version 2.10.0 and changing any usages of enableDefaultTyping[] to
> activateDefaultTyping[].
> Alternatively, if upgrading is not a viable option, this vulnerability can be
> mitigated by disabling default typing. Instead, you will need to implement
> your own:
> It is also possible to customize global defaulting, using
> ObjectMapper.setDefaultTyping[...] – you just have to implement your own
> TypeResolverBuilder [which is not very difficult]; and by doing so, can
> actually configure all aspects of type information. Builder itself is just a
> short-cut for building actual handlers.
> Reference:
> [https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization]
> Examples of implementing your own typing can be found by looking at this
> Stack Overflow article.
> *Root Cause :*
> apache-cassandra-3.11.4-bin.tar.gzorg/codehaus/jackson/map/deser/BeanDeserializerFactory.class
> : [0.9.8, ]
> *Advisories :* Project:
> [https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7525]
> *CVSS Details :* CVE CVSS 2.0: 7.5CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
> *Occurences (Paths) :* ["apache-cassandra.zip" ; "apache-cassandra.zip"]
> *CVE :* CVE-2017-7525
> *URL :* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7525]
> *Remediation :* This component does not have any non-vulnerable Version.
> Please contact the vendor to get this vulnerability fixed.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
