In which release is CVE 2017-15095 fixed?

[appDeveloper888]

Hi all,

in which release is CVE 2017-15095 fixed?

best regards

[cowtowncoder]

Please do not re-file same issue: I already answered #1837.

[appDeveloper888]

Hi, CVE 2017-15095 is a new vulnerability. You answered CVE-2017-7525. They found there are more classes have vulnerability. Best regards Ying From: Tatu Saloranta [mailto:notifications@github.com] Sent: Wednesday, November 29, 2017 11:10 PM To: FasterXML/jackson-databind <jackson-databind@noreply.github.com> Cc: Zeng, Ying <ying.zeng@sap.com>; Author <author@noreply.github.com> Subject: Re: [FasterXML/jackson-databind] In which release is CVE 2017-15095 fixed? (#1847) Please do not re-file same issue: I already answered #1837<#1837>. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<#1847 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AgWkCpJZy5ajgyJtxqQqblCj7IuB9ZK-ks5s7lTIgaJpZM4QwGxT>.

[cowtowncoder]

Ok I have no idea then. If you have a link to vulnerability could you add it?
I am typically not reported these vulnerabilities for some reason or another and only hear when someone points them. Not sure that's the way these should go; probably not.

[cowtowncoder]

Googling produced hits, but no good explanation other than suggestion black list is incomplete:

https://access.redhat.com/security/cve/cve-2017-15095

This could possibly refer to #1737 (included in 2.8.10 / 2.9.1) which adds last known potentially concerning cases. If there are other types to include they have not been reported to the project yet.

[cowtowncoder]

Ok. Yes, looks like #1737 is the main thing matching CVE-2017-15095.
Red Hat's bug tracker refers to 2 other issues which are sort of related:

• Deserialization vulnerability via polymorphic deserialization (CVE-2017-7525) #1723: no separate work, was basically question asking about CVE-2017-7525
• Block more JDK gadget types (com.sun.rowset) #1680: block com.sun.rowset.JdbcRowSetImpl

So the answer here is that fix is in

• 2.8.10
• 2.9.1

[DKumars]

Hi ,

Is this CVE 2017-15095 vulnerabilty fixed in 2.6.7.1 version ? Please confirm because we are using 2.6.1 version . if we move 2.8.10 then it gives us lot of dependency change in scala_module_2_11. Please confirm can we use 2.6.7.1 for this fix ?

[cowtowncoder]

@DKumars No. You need to upgrade to a newer version, 2.8.10 or 2.9.1

[marpereira]

Hello,

I'm facing the same issue as @DKumars. Are you guys still land these CVE fixes for 2.6.7.X?

Thanks,

[cowtowncoder]

@marpereira No. There was one last micro-patch for 2.6, 2.6.7.3 (and 2.7.9.7, 2.8.11.6), but no new micro-patches planned for anything earlier than 2.9, nor are fixes being merged.

There will be 2.9.10.4 release, but once 2.11.0 is released, 2.9 is likely closed as well.
It is a big waste of time to maintain blocklist of classes since security researchers are now collecting these to get credit for CVE submissions, and with propagation of potentially vulnerable Factory types across tens of thousands of publicly available Java jars, there is boundless source material to find them from. In practice newer findings are for more obscure dependencies, less likely to be exploitable by attackers (since they need to know set up of classpath of target system).

2.10 is not considered vulnerable to this class of CVEs; and 2.11 will add more convenience features to allow safe(r) polymorphic deserialization. So at this point it is worth seriously considering upgrade, to avoid having to upgrade Jackson dependency regularly.
Or, alternatively, if there are companies with enough money to make it worth it, figure out support contracts for work to provide additional backporting for block lists.