Another two gadgets to exploit default typing issue in jackson-databind (CVE-2018-5968)

[OneSourceCat]

Another 2 gadget types reported against Hibernate, iBatis.

See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.

Mitre id: CVE-2018-5968

Fixed in:

• 2.9.4 and later
• 2.8.11.1
• 2.7.9.2
• 2.6.7.3

[cowtowncoder]

I am not sure I saw that email. Which address was it from (or what was the title)?

[OneSourceCat]

The title is [Critical] Jackson Deserialization RCE via a new Gadget.
There are two emails about two different gadget.

[cowtowncoder]

Ok somehow I do not see this via that email address (with that title or any other combination).
Would it be possible re-send it?

[codelion]

@OneSourceCat Should the latest published version of jackson-databind be considered vulnerable, until the issue is resolved?

[cowtowncoder]

@codelion before assuming anything, make sure to also read:

https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

to know under what special conditions vulnerabilities exist. For most Jackson users these are not applicable.

[OneSourceCat]

@cowtowncoder I've already resent the report. My email address is chongrui123[at]gmail.com.

[cowtowncoder]

@OneSourceCat Ah. Gmail decided to put them in SPAM for some weird reason. :-o