Hi Dom & All, Like you, we had the same problem on Clamp. As you said the DefaultTyping is well the issue (and this feature is NOT enabled by default in Jackson, I tested it), anyway we did some minor changes on CLAMP to address that: https://gerrit.onap.org/r/#/c/38955/
The Clamp code + rest easy was making use of Jackson ObjectMapper, so we replaced that by our own ObjectMapper instance on which we explicitly disabled the DefaultTyping. For RestEasy we have set our own version of the ObjectMapper just in case. We have also added a Test case to verify that the issue is not present in our JacksonUtils class (https://gerrit.onap.org/r/#/c/38955/1/src/test/java/org/onap/clamp/clds/util/JacksonUtilsTest.java) It’s not a bullet proof solution at all but it can help. Of course all Jackson usages should pass through the JacksonUtils class. The JacksonUtils class must be improved to really lock the ObjectMapper so that the code using it can’t enable the DefaultTyping (this will be fixed soon) I think the SDC team did a similar fix for now. Also if you are using Spring, just ensure you are using >4.2.3 version for spring-security. Not sure this is applicable in your cases, but may be it can gives you some ideas. Seb From: onap-discuss-boun...@lists.onap.org [mailto:onap-discuss-boun...@lists.onap.org] On Behalf Of LUNANUOVA, DOMINIC Sent: Thursday, March 29, 2018 6:45 PM To: Nemeth, Denes (Nokia - HU/Budapest) <denes.nem...@nokia.com>; fu.guangr...@zte.com.cn; DRAGOSH, PAM <pdrag...@research.att.com> Cc: onap-discuss@lists.onap.org; onap-rele...@lists.onap.org Subject: Re: [onap-discuss] [Onap-release] FYI - jackson-databind security fix 2.9.5 ***Security Advisory: This Message Originated Outside of AT&T *** Reference http://cso.att.com/EmailSecurity/IDSP.html for more information. All When I read thru the issue more, I noticed this comment by the author: https://github.com/FasterXML/jackson-databind/issues/1599#issuecomment-353157893<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_FasterXML_jackson-2Ddatabind_issues_1599-23issuecomment-2D353157893&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=k4fsfgtM-PRugv-84_JETGjxXItQ5MQ02CsZ4odMzVU&m=GGVys3mKf7NSKN9lOVrTmrtcew4hxPgS9KBfGLIBHeo&s=TgIP4KAfy2QWvSdpFwSVUJBljwYg-tydcCWcA9wkO0Y&e=> Which mentions that the “default typing” behavior is not the normal default for this library. So, I checked my repo by doing mvn dependency:tree and found that use of Jackson-databind was from swagger-core library. When I inspect swagger-core stable version 1.5.18<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_swagger-2Dapi_swagger-2Dcore_releases_tag_v1.5.18&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=k4fsfgtM-PRugv-84_JETGjxXItQ5MQ02CsZ4odMzVU&m=GGVys3mKf7NSKN9lOVrTmrtcew4hxPgS9KBfGLIBHeo&s=9g7m_UcsltunS66v-kz3rWc_VLjv8ZhJtm74Z9Y4dzM&e=> code, I do not find calls to either of the methods shown in the Spring Security<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_spring-2Dprojects_spring-2Dsecurity_commit_947d11f433b78294942cb5ea56e8aa5c3a0ca439&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=k4fsfgtM-PRugv-84_JETGjxXItQ5MQ02CsZ4odMzVU&m=GGVys3mKf7NSKN9lOVrTmrtcew4hxPgS9KBfGLIBHeo&s=R7UVbqaV4AtBaXCfwj6wTLqx9hifmVRdMVadSqDr1qo&e=> commit example to address this issue. (this Spring Security example is cited by the IQ Server description of SONATYPE-2017-0312 as a way to address the problem) i.e. the swagger code doesn’t contain a call to enable default typing, nor does it explicitly set default typing whitelist. My preliminary conclusion is that swagger is relying on Jackson-databind default behavior, which, according to the author, shouldn’t suffer from the vulnerability. Curious if other projects have this same swagger dependency on Jackson-databind and if we can eliminate this collective concern. So, this requests: - Review of my thinking - If correct, some type of waiver for the vulnerability. -Dom From: onap-discuss-boun...@lists.onap.org<mailto:onap-discuss-boun...@lists.onap.org> [mailto:onap-discuss-boun...@lists.onap.org] On Behalf Of Nemeth, Denes (Nokia - HU/Budapest) Sent: Thursday, March 29, 2018 4:11 AM To: fu.guangr...@zte.com.cn<mailto:fu.guangr...@zte.com.cn>; DRAGOSH, PAMELA L (PAM) <pdrag...@research.att.com<mailto:pdrag...@research.att.com>> Cc: onap-discuss@lists.onap.org<mailto:onap-discuss@lists.onap.org>; onap-rele...@lists.onap.org<mailto:onap-rele...@lists.onap.org> Subject: Re: [onap-discuss] [Onap-release] FYI - jackson-databind security fix 2.9.5 Dear All Unfortunetelly there is no real fix for this in any of the Jackson releases, since the fix merged blacklists certain classes that should not be deserialized. The blacklisting based fix is this https://github.com/FasterXML/jackson-databind/issues/1599<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_FasterXML_jackson-2Ddatabind_issues_1599&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=nuCJHjkGsMZoBpGISrliuQNz-BA9ISHYnmm9ri8CDTU&e=> which is included here: Is only included in 2.7.9.3<https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.com_artifact_com.fasterxml.jackson.core_jackson-2Ddatabind_2.7.9.3&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=voR1N4AF26xxx2FANXA1tobalDkx_qZpUc7Yjglo09I&e=> Central<https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.com_repos_central&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=bzmf-95RGkWovO93DPMqpN2UdcUkonQLZIM1aWqQj7w&e=> 1<https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.com_artifact_com.fasterxml.jackson.core_jackson-2Ddatabind_2.7.9.3_usages&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=pGiHsyex-AxB9AmpYsa5wncLS4DWrIdhtLTu4lpw4p8&e=> (Feb, 2018) 2.7.9.2<https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.com_artifact_com.fasterxml.jackson.core_jackson-2Ddatabind_2.7.9.2&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=oHs4k3kudkH5bJnmZb_X_-vIdTp6mwgsmN5wpkS8yEg&e=> Central<https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.com_repos_central&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=bzmf-95RGkWovO93DPMqpN2UdcUkonQLZIM1aWqQj7w&e=> 6<https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.com_artifact_com.fasterxml.jackson.core_jackson-2Ddatabind_2.7.9.2_usages&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=aC-cQTMqDQvkRXDvnFcvxaB0E1h2zf3bZagJL8QqnhQ&e=> (Dec, 2017) 2.7.9.1<https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.com_artifact_com.fasterxml.jackson.core_jackson-2Ddatabind_2.7.9.1&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=h-gEpJj8_5WOpyttTlp6lDneaR0oEZSd_tE861Yz-sc&e=> and 2.8.11.1<https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.com_artifact_com.fasterxml.jackson.core_jackson-2Ddatabind_2.8.11.1&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=icPEs1GXZB6fLpdm3DB9l25kOgjBF4pDcmclJuZQooE&e=> Central<https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.com_repos_central&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=bzmf-95RGkWovO93DPMqpN2UdcUkonQLZIM1aWqQj7w&e=> 13<https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.com_artifact_com.fasterxml.jackson.core_jackson-2Ddatabind_2.8.11.1_usages&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=foxoKlhkz9gU6yNrD9ziykvNAwYRMBt43wd3GWfym7o&e=> (Feb, 2018) 2.8.11<https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.com_artifact_com.fasterxml.jackson.core_jackson-2Ddatabind_2.8.11&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=9FXvMTgr49uKz5zVOMb41JlAQPWm1RR3rbnk5CTo1QE&e=> Central<https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.com_repos_central&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=bzmf-95RGkWovO93DPMqpN2UdcUkonQLZIM1aWqQj7w&e=> 102<https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.com_artifact_com.fasterxml.jackson.core_jackson-2Ddatabind_2.8.11_usages&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=BbTe7h_A1sKv8AnPh6ufuoWRDYOFcvMeRLaMYNzaIe4&e=> (Dec, 2017) 2.8.10<https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.com_artifact_com.fasterxml.jackson.core_jackson-2Ddatabind_2.8.10&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=nPQ86sdJmnIJb0aZKA8jwSp6A_v1YYPjcYPA6wRZXac&e=> Central<https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.com_repos_central&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=bzmf-95RGkWovO93DPMqpN2UdcUkonQLZIM1aWqQj7w&e=> 541<https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.com_artifact_com.fasterxml.jackson.core_jackson-2Ddatabind_2.8.10_usages&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=N89AlYY5pGNMKClh41Wt4vQTMD-OKREf8pDmFqMo0P0&e=> (Aug, 2017) 2.8.9<https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.com_artifact_com.fasterxml.jackson.core_jackson-2Ddatabind_2.8.9&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=ussjIEiQB5W4JZ44FBM18Iy7WGJScV2OxNC2bkMBVEo&e=> Central<https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.com_repos_central&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=bzmf-95RGkWovO93DPMqpN2UdcUkonQLZIM1aWqQj7w&e=> 643<https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.com_artifact_com.fasterxml.jackson.core_jackson-2Ddatabind_2.8.9_usages&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=nVlkryqu7T0RwfLEevAtZRNmHYR79zgF7ics2Ol2UMs&e=> (Jun, 2017) 2.9.X branch does not contain the fixes https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.5<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_FasterXML_jackson_wiki_Jackson-2DRelease-2D2.9.5&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=fVvD5F_WhF1RQjy5VEys_C8sy0I_lzLTgJ2b9g1Kgck&e=> The fix in 2.8 branch https://github.com/FasterXML/jackson-databind/commit/60d459cedcf079c6106ae7da2ac562bc32dcabe1<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_FasterXML_jackson-2Ddatabind_commit_60d459cedcf079c6106ae7da2ac562bc32dcabe1&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=Yh-ugd0P4ygXUhi80ki9Zrr2MWVQSAnJEoqQIg77PXg&e=> is missing from 2.9 https://github.com/FasterXML/jackson-databind/blob/2.9/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializer.java<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_FasterXML_jackson-2Ddatabind_blob_2.9_src_main_java_com_fasterxml_jackson_databind_deser_BeanDeserializer.java&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=kToCwRaEdWHg1_rp-NQ3RmzZNvKqeAxsrAuR9vVp0sg&e=> I think there is not bullet proof solution for now. Cheers Denes From: <onap-discuss-boun...@lists.onap.org<mailto:onap-discuss-boun...@lists.onap.org>> on behalf of "fu.guangr...@zte.com.cn<mailto:fu.guangr...@zte.com.cn>" <fu.guangr...@zte.com.cn<mailto:fu.guangr...@zte.com.cn>> Date: 2018. March 29., Thursday 2:34 To: "pdrag...@research.att.com<mailto:pdrag...@research.att.com>" <pdrag...@research.att.com<mailto:pdrag...@research.att.com>> Cc: "onap-discuss@lists.onap.org<mailto:onap-discuss@lists.onap.org>" <onap-discuss@lists.onap.org<mailto:onap-discuss@lists.onap.org>>, "onap-rele...@lists.onap.org<mailto:onap-rele...@lists.onap.org>" <onap-rele...@lists.onap.org<mailto:onap-rele...@lists.onap.org>> Subject: Re: [onap-discuss] [Onap-release] FYI - jackson-databind security fix 2.9.5 That's good news, Pam. Just let us know the result. We've been struggling with this issue for a long time as well. Best wishes. Guangrong Original Mail Sender: DRAGOSH,PAMELAL(PAM) <pdrag...@research.att.com<mailto:pdrag...@research.att.com>> To: onap-discuss@lists.onap.org<mailto:onap-discuss@lists.onap.org> <onap-discuss@lists.onap.org<mailto:onap-discuss@lists.onap.org>>onap-release <onap-rele...@lists.onap.org<mailto:onap-rele...@lists.onap.org>> Date: 2018/03/29 07:55 Subject: [Onap-release] FYI - jackson-databind security fix 2.9.5 _______________________________________________ Onap-release mailing list onap-rele...@lists.onap.org<mailto:onap-rele...@lists.onap.org> https://lists.onap.org/mailman/listinfo/onap-release<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.onap.org_mailman_listinfo_onap-2Drelease&d=DwQGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=JIt3yC9S6kxfFAbYksi967EbB4G0TDv87d9pJQyamgQ&e=> For teams with CLM issues regarding 2.9.4 and lower, just 2 days ago they released this version: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.5<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_FasterXML_jackson_wiki_Jackson-2DRelease-2D2.9.5&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=TTiyLt3NmHhqJbSZsYv8tdAqTAgC-wtEx8NKq2P__08&m=XsMfRTaoIeWP_aodX31VsLbyMRz37FPgz34jzTqg_Yg&s=fVvD5F_WhF1RQjy5VEys_C8sy0I_lzLTgJ2b9g1Kgck&e=> I am going to see if that clears my CLM issues for the policy projects. Wish my luck. Pam
_______________________________________________ onap-discuss mailing list onap-discuss@lists.onap.org https://lists.onap.org/mailman/listinfo/onap-discuss