[
https://issues.apache.org/jira/browse/CASSANDRA-15416?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Stefan Miklosovic updated CASSANDRA-15416:
------------------------------------------
Resolution: Won't Fix
Status: Resolved (was: Triage Needed)
> CVE-2017-7525 ( jackson-databind is vulnerable to Remote Code Execution) on
> version 3.11.4
> ------------------------------------------------------------------------------------------
>
> Key: CASSANDRA-15416
> URL: https://issues.apache.org/jira/browse/CASSANDRA-15416
> Project: Cassandra
> Issue Type: Bug
> Reporter: Abhishek Singh
> Priority: Normal
>
> *Description :*
> *Severity :* CVE CVSS 2.0: 7.5Sonatype CVSS 3: 8.5
> *Weakness :* CVE CWE: 502
> *Source :* National Vulnerability Database
> *Categories :* Data
> *Description from CVE :* A deserialization flaw was discovered in the
> jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could
> allow an unauthenticated user to perform code execution by sending the
> maliciously crafted input to the readValue method of the ObjectMapper.
> *Explanation :* jackson-databind is vulnerable to Remote Code Execution
> [RCE]. The createBeanDeserializer[] function in the BeanDeserializerFactory
> class allows untrusted Java objects to be deserialized. A remote attacker can
> exploit this by uploading a malicious serialized object that will result in
> RCE if the application attempts to deserialize it.
> NOTE: This vulnerability is also tracked by the Apache Struts team as S2-055.
> *Detection :* The application is vulnerable by using this component, when
> default typing is enabled.
> Note: Spring Security has provided their own fix for this vulnerability
> [CVE-2017-4995]. If this component is being used as part of Spring Security,
> then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE
> or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x.
> *Recommendation :* : As of version 2.10.0, Jackson now provides a safe
> default typing solution that fully mitigates this vulnerability.
> Reference:
> [https://medium.com/@cowtowncoder/jackson-2-10-features-cd880674d8a2]
> In order to mitigate this vulnerability, we recommend upgrading to at least
> version 2.10.0 and changing any usages of enableDefaultTyping[] to
> activateDefaultTyping[].
> Alternatively, if upgrading is not a viable option, this vulnerability can be
> mitigated by disabling default typing. Instead, you will need to implement
> your own:
> It is also possible to customize global defaulting, using
> ObjectMapper.setDefaultTyping[...] – you just have to implement your own
> TypeResolverBuilder [which is not very difficult]; and by doing so, can
> actually configure all aspects of type information. Builder itself is just a
> short-cut for building actual handlers.
> Reference:
> [https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization]
> Examples of implementing your own typing can be found by looking at this
> Stack Overflow article.
> *Root Cause :*
> apache-cassandra-3.11.4-bin.tar.gzorg/codehaus/jackson/map/deser/BeanDeserializerFactory.class
> : [0.9.8, ]
> *Advisories :* Project:
> [https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7525]
> *CVSS Details :* CVE CVSS 2.0: 7.5CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
> *Occurences (Paths) :* ["apache-cassandra.zip" ; "apache-cassandra.zip"]
> *CVE :* CVE-2017-7525
> *URL :* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7525]
> *Remediation :* This component does not have any non-vulnerable Version.
> Please contact the vendor to get this vulnerability fixed.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
