All When I read thru the issue more, I noticed this comment by the author: https://github.com/FasterXML/jackson-databind/issues/1599#issuecomment-353157893 Which mentions that the “default typing” behavior is not the normal default for this library. So, I checked my repo by doing mvn dependency:tree and found that use of Jackson-databind was from swagger-core library. When I inspect swagger-core stable version 1.5.18<https://github.com/swagger-api/swagger-core/releases/tag/v1.5.18> code, I do not find calls to either of the methods shown in the Spring Security<https://github.com/spring-projects/spring-security/commit/947d11f433b78294942cb5ea56e8aa5c3a0ca439> commit example to address this issue. (this Spring Security example is cited by the IQ Server description of SONATYPE-2017-0312 as a way to address the problem) i.e. the swagger code doesn’t contain a call to enable default typing, nor does it explicitly set default typing whitelist.
My preliminary conclusion is that swagger is relying on Jackson-databind default behavior, which, according to the author, shouldn’t suffer from the vulnerability. Curious if other projects have this same swagger dependency on Jackson-databind and if we can eliminate this collective concern. So, this requests: - Review of my thinking - If correct, some type of waiver for the vulnerability. -Dom From: [email protected] [mailto:[email protected]] On Behalf Of Nemeth, Denes (Nokia - HU/Budapest) Sent: Thursday, March 29, 2018 4:11 AM To: [email protected]; DRAGOSH, PAMELA L (PAM) <[email protected]> Cc: [email protected]; [email protected] Subject: Re: [onap-discuss] [Onap-release] FYI - jackson-databind security fix 2.9.5 Dear All Unfortunetelly there is no real fix for this in any of the Jackson releases, since the fix merged blacklists certain classes that should not be deserialized. The blacklisting based fix is this https://github.com/FasterXML/jackson-databind/issues/1599<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_FasterXML_jackson-2Ddatabind_issues_1599&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=nuCJHjkGsMZoBpGISrliuQNz-BA9ISHYnmm9ri8CDTU&e=> which is included here: Is only included in 2.7.9.3<https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.com_artifact_com.fasterxml.jackson.core_jackson-2Ddatabind_2.7.9.3&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=voR1N4AF26xxx2FANXA1tobalDkx_qZpUc7Yjglo09I&e=> Central<https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.com_repos_central&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=bzmf-95RGkWovO93DPMqpN2UdcUkonQLZIM1aWqQj7w&e=> 1<https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.com_artifact_com.fasterxml.jackson.core_jackson-2Ddatabind_2.7.9.3_usages&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=pGiHsyex-AxB9AmpYsa5wncLS4DWrIdhtLTu4lpw4p8&e=> (Feb, 2018) 2.7.9.2<https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.com_artifact_com.fasterxml.jackson.core_jackson-2Ddatabind_2.7.9.2&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=oHs4k3kudkH5bJnmZb_X_-vIdTp6mwgsmN5wpkS8yEg&e=> Central<https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.com_repos_central&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=bzmf-95RGkWovO93DPMqpN2UdcUkonQLZIM1aWqQj7w&e=> 6<https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.com_artifact_com.fasterxml.jackson.core_jackson-2Ddatabind_2.7.9.2_usages&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=aC-cQTMqDQvkRXDvnFcvxaB0E1h2zf3bZagJL8QqnhQ&e=> (Dec, 2017) 2.7.9.1<https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.com_artifact_com.fasterxml.jackson.core_jackson-2Ddatabind_2.7.9.1&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=h-gEpJj8_5WOpyttTlp6lDneaR0oEZSd_tE861Yz-sc&e=> and 2.8.11.1<https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.com_artifact_com.fasterxml.jackson.core_jackson-2Ddatabind_2.8.11.1&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=icPEs1GXZB6fLpdm3DB9l25kOgjBF4pDcmclJuZQooE&e=> Central<https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.com_repos_central&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=bzmf-95RGkWovO93DPMqpN2UdcUkonQLZIM1aWqQj7w&e=> 13<https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.com_artifact_com.fasterxml.jackson.core_jackson-2Ddatabind_2.8.11.1_usages&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=foxoKlhkz9gU6yNrD9ziykvNAwYRMBt43wd3GWfym7o&e=> (Feb, 2018) 2.8.11<https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.com_artifact_com.fasterxml.jackson.core_jackson-2Ddatabind_2.8.11&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=9FXvMTgr49uKz5zVOMb41JlAQPWm1RR3rbnk5CTo1QE&e=> Central<https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.com_repos_central&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=bzmf-95RGkWovO93DPMqpN2UdcUkonQLZIM1aWqQj7w&e=> 102<https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.com_artifact_com.fasterxml.jackson.core_jackson-2Ddatabind_2.8.11_usages&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=BbTe7h_A1sKv8AnPh6ufuoWRDYOFcvMeRLaMYNzaIe4&e=> (Dec, 2017) 2.8.10<https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.com_artifact_com.fasterxml.jackson.core_jackson-2Ddatabind_2.8.10&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=nPQ86sdJmnIJb0aZKA8jwSp6A_v1YYPjcYPA6wRZXac&e=> Central<https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.com_repos_central&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=bzmf-95RGkWovO93DPMqpN2UdcUkonQLZIM1aWqQj7w&e=> 541<https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.com_artifact_com.fasterxml.jackson.core_jackson-2Ddatabind_2.8.10_usages&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=N89AlYY5pGNMKClh41Wt4vQTMD-OKREf8pDmFqMo0P0&e=> (Aug, 2017) 2.8.9<https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.com_artifact_com.fasterxml.jackson.core_jackson-2Ddatabind_2.8.9&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=ussjIEiQB5W4JZ44FBM18Iy7WGJScV2OxNC2bkMBVEo&e=> Central<https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.com_repos_central&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=bzmf-95RGkWovO93DPMqpN2UdcUkonQLZIM1aWqQj7w&e=> 643<https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.com_artifact_com.fasterxml.jackson.core_jackson-2Ddatabind_2.8.9_usages&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=nVlkryqu7T0RwfLEevAtZRNmHYR79zgF7ics2Ol2UMs&e=> (Jun, 2017) 2.9.X branch does not contain the fixes https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.5<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_FasterXML_jackson_wiki_Jackson-2DRelease-2D2.9.5&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=fVvD5F_WhF1RQjy5VEys_C8sy0I_lzLTgJ2b9g1Kgck&e=> The fix in 2.8 branch https://github.com/FasterXML/jackson-databind/commit/60d459cedcf079c6106ae7da2ac562bc32dcabe1<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_FasterXML_jackson-2Ddatabind_commit_60d459cedcf079c6106ae7da2ac562bc32dcabe1&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=Yh-ugd0P4ygXUhi80ki9Zrr2MWVQSAnJEoqQIg77PXg&e=> is missing from 2.9 https://github.com/FasterXML/jackson-databind/blob/2.9/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializer.java<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_FasterXML_jackson-2Ddatabind_blob_2.9_src_main_java_com_fasterxml_jackson_databind_deser_BeanDeserializer.java&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=kToCwRaEdWHg1_rp-NQ3RmzZNvKqeAxsrAuR9vVp0sg&e=> I think there is not bullet proof solution for now. Cheers Denes From: <[email protected]<mailto:[email protected]>> on behalf of "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: 2018. March 29., Thursday 2:34 To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Cc: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>>, "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: [onap-discuss] [Onap-release] FYI - jackson-databind security fix 2.9.5 That's good news, Pam. Just let us know the result. We've been struggling with this issue for a long time as well. Best wishes. Guangrong Original Mail Sender: DRAGOSH,PAMELAL(PAM) <[email protected]<mailto:[email protected]>> To: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>>onap-release <[email protected]<mailto:[email protected]>> Date: 2018/03/29 07:55 Subject: [Onap-release] FYI - jackson-databind security fix 2.9.5 _______________________________________________ Onap-release mailing list [email protected]<mailto:[email protected]> https://lists.onap.org/mailman/listinfo/onap-release<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.onap.org_mailman_listinfo_onap-2Drelease&d=DwQGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=JIt3yC9S6kxfFAbYksi967EbB4G0TDv87d9pJQyamgQ&e=> For teams with CLM issues regarding 2.9.4 and lower, just 2 days ago they released this version: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.5<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_FasterXML_jackson_wiki_Jackson-2DRelease-2D2.9.5&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=fVvD5F_WhF1RQjy5VEys_C8sy0I_lzLTgJ2b9g1Kgck&e=> I am going to see if that clears my CLM issues for the policy projects. Wish my luck. Pam
_______________________________________________ onap-discuss mailing list [email protected] https://lists.onap.org/mailman/listinfo/onap-discuss
