[
https://issues.apache.org/jira/browse/CXF-7752?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16501578#comment-16501578
]
Dennis Kieselhorst commented on CXF-7752:
-----------------------------------------
I've already updated jackson to 2.9.5 on master. It will be part of 3.2.5
release. For the meantime you can just set an explicit version for jackson
instead of the transitive one.
I wonder why cxf-rt-ws-security and ehcache should be involved here. The
dependency tree doesn't show a transitive dependency.
{noformat}
[INFO] --- maven-dependency-plugin:3.0.2:tree (default-cli) @
cxf-rt-ws-security ---
[INFO] org.apache.cxf:cxf-rt-ws-security:bundle:3.2.5-SNAPSHOT
[INFO] +- org.apache.cxf:cxf-core:jar:3.2.5-SNAPSHOT:compile
[INFO] | \- org.apache.ws.xmlschema:xmlschema-core:jar:2.2.3:compile
[INFO] +- org.apache.cxf:cxf-rt-bindings-soap:jar:3.2.5-SNAPSHOT:compile
[INFO] | +- org.apache.cxf:cxf-rt-wsdl:jar:3.2.5-SNAPSHOT:compile
[INFO] | \- org.apache.cxf:cxf-rt-databinding-jaxb:jar:3.2.5-SNAPSHOT:compile
[INFO] +- org.apache.cxf:cxf-rt-security-saml:jar:3.2.5-SNAPSHOT:compile
[INFO] | \- org.apache.cxf:cxf-rt-security:jar:3.2.5-SNAPSHOT:compile
[INFO] +- org.apache.cxf:cxf-rt-ws-addr:jar:3.2.5-SNAPSHOT:provided
[INFO] +- org.apache.cxf:cxf-rt-ws-policy:jar:3.2.5-SNAPSHOT:provided
[INFO] | +- wsdl4j:wsdl4j:jar:1.6.3:compile
[INFO] | \- org.apache.neethi:neethi:jar:3.1.1:compile
[INFO] +- org.apache.cxf:cxf-rt-ws-mex:jar:3.2.5-SNAPSHOT:provided (optional)
[INFO] +- org.apache.cxf:cxf-rt-transports-http:jar:3.2.5-SNAPSHOT:provided
(optional)
[INFO] +- com.fasterxml.woodstox:woodstox-core:jar:5.0.3:compile (optional)
[INFO] | \- org.codehaus.woodstox:stax2-api:jar:3.1.4:compile (optional)
[INFO] +- net.sf.ehcache:ehcache:jar:2.10.4:compile
[INFO] | \- org.slf4j:slf4j-api:jar:1.7.25:compile
[INFO] +- org.apache.wss4j:wss4j-ws-security-dom:jar:2.2.2-SNAPSHOT:compile
[INFO] | \-
org.apache.wss4j:wss4j-ws-security-common:jar:2.2.2-SNAPSHOT:compile
[INFO] | +- org.apache.santuario:xmlsec:jar:2.1.2-SNAPSHOT:compile
[INFO] | | \- commons-codec:commons-codec:jar:1.11:compile
[INFO] | +- org.opensaml:opensaml-saml-impl:jar:3.3.0:compile
[INFO] | | +- org.opensaml:opensaml-profile-api:jar:3.3.0:compile
[INFO] | | | \- org.opensaml:opensaml-core:jar:3.3.0:compile
[INFO] | | | \- io.dropwizard.metrics:metrics-core:jar:3.2.6:compile
[INFO] | | +- org.opensaml:opensaml-saml-api:jar:3.3.0:compile
[INFO] | | | +- org.opensaml:opensaml-xmlsec-api:jar:3.3.0:compile
[INFO] | | | \- org.opensaml:opensaml-soap-api:jar:3.3.0:compile
[INFO] | | +- org.opensaml:opensaml-security-impl:jar:3.3.0:compile
[INFO] | | | \- org.opensaml:opensaml-security-api:jar:3.3.0:compile
[INFO] | | | \- org.cryptacular:cryptacular:jar:1.1.1:compile
[INFO] | | +- org.opensaml:opensaml-xmlsec-impl:jar:3.3.0:compile
[INFO] | | \- net.shibboleth.utilities:java-support:jar:7.3.0:compile
[INFO] | | +- com.google.guava:guava:jar:19.0:compile
[INFO] | | \- joda-time:joda-time:jar:2.9:compile
[INFO] | +- org.opensaml:opensaml-xacml-impl:jar:3.3.0:compile
[INFO] | | \- org.opensaml:opensaml-xacml-api:jar:3.3.0:compile
[INFO] | +- org.opensaml:opensaml-xacml-saml-impl:jar:3.3.0:compile
[INFO] | | \- org.opensaml:opensaml-xacml-saml-api:jar:3.3.0:compile
[INFO] | \- org.jasypt:jasypt:jar:1.9.2:compile
[INFO] +- org.apache.wss4j:wss4j-policy:jar:2.2.2-SNAPSHOT:compile
[INFO] +- org.apache.wss4j:wss4j-ws-security-stax:jar:2.2.2-SNAPSHOT:compile
[INFO] | \- org.apache.wss4j:wss4j-bindings:jar:2.2.2-SNAPSHOT:compile
[INFO] +-
org.apache.wss4j:wss4j-ws-security-policy-stax:jar:2.2.2-SNAPSHOT:compile
[INFO] +- org.bouncycastle:bcprov-jdk15on:jar:1.59:provided
[INFO] +- org.slf4j:slf4j-jdk14:jar:1.7.25:test
[INFO] +- junit:junit:jar:4.12:test
[INFO] | \- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] +- org.apache.cxf:cxf-rt-frontend-jaxws:jar:3.2.5-SNAPSHOT:compile
(optional)
[INFO] | +- xml-resolver:xml-resolver:jar:1.2:compile
[INFO] | +- org.ow2.asm:asm:jar:5.2:compile
[INFO] | +- org.apache.cxf:cxf-rt-bindings-xml:jar:3.2.5-SNAPSHOT:compile
[INFO] | \- org.apache.cxf:cxf-rt-frontend-simple:jar:3.2.5-SNAPSHOT:compile
[INFO] +- org.apache.cxf:cxf-rt-transports-local:jar:3.2.5-SNAPSHOT:test
[INFO] +- org.apache.cxf:cxf-testutils:jar:3.2.5-SNAPSHOT:test
[INFO] | \-
org.apache.geronimo.javamail:geronimo-javamail_1.4_mail:jar:1.8.4:compile
[INFO] +- org.apache.cxf:cxf-rt-features-logging:jar:3.2.5-SNAPSHOT:test
[INFO] \- org.easymock:easymock:jar:3.6:test
[INFO] \- org.objenesis:objenesis:jar:2.6:test{noformat}
Anyway I've updated to ehcache 2.10.5, seems to be the latest 2.x version.
> CVE-2018-5968 and CVE-2018-7489
> -------------------------------
>
> Key: CXF-7752
> URL: https://issues.apache.org/jira/browse/CXF-7752
> Project: CXF
> Issue Type: Improvement
> Reporter: Giacomo Boccardo
> Assignee: Dennis Kieselhorst
> Priority: Major
> Fix For: 3.2.5
>
>
> Analyzing the dependencies of my project using OWASP Dependency Check a
> transitive dependency of org.apache.cxf:cxf-rt-ws-security:jar:3.2.4:compile
> shows two issues in
> {color:#000000}ehcache-{color}{color:#990000}2.10.4.{color}{color:#000000}jar/rest-management-{color}{color:#7f0055}*private*{color}{color:#000000}-classpath/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml{color}
> {color:#000000}and the following explanations are reported:{color}
> {color:#000000}FasterXML jackson-databind through 2.8.11 and 2.9.x through
> 2.9.3 allows unauthenticated remote code execution because of an incomplete
> fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is
> exploitable via two different gadgets that bypass a blacklist.{color}
> {color:#000000}FasterXML jackson-databind before 2.8.11.1 and 2.9.x before
> 2.9.5 allows unauthenticated remote code execution because of an incomplete
> fix for the CVE-2017-7525 deserialization flaw. This is exploitable by
> sending maliciously crafted JSON input to the readValue method of the
> ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries
> are available in the classpath.{color}
> Please consider updating net.sf.ehcache:ehcache:jar:2.10.4 when/if it solves
> CVE-2018-5968 and CVE-2018-7489.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
