java FasterXML jackson-databind においてデシリアライゼーションに伴う脆弱性が、 CVEで報告され、試しに関連資料を読んでみました。
- 1. java FasterXML jackson-databind とは
- 2. デシリアライゼーションに伴う脆弱性とは?
- 3. java FasterXML jackson-databind における 脆弱性とは?
- 4. 上記3 CVEに対する java FasterXML でのチケットと修正ver
- 5. 上記3 CVEに対する 修正src コミット詳細
1. java FasterXML jackson-databind とは
https://kazuhira-r.hatenablog.com/entry/20131005/1380963987 https://qiita.com/opengl-8080/items/b613b9b3bc5d796c840c
2. デシリアライゼーションに伴う脆弱性とは?
https://blog.tokumaru.org/2017/09/introduction-to-object-injection.html https://graneed.hatenablog.com/entry/2019/04/06/154157
3. java FasterXML jackson-databind における 脆弱性とは?
https://jvndb.jvn.jp/ にある通り、情報取得、改ざん、DoSの可能性があるそうです。 参照:
| CVE~ | 概要 |
|---|---|
| 2019-17267 | 入力確認に関する脆弱性による情報漏洩/改ざん、DoSの可能性 |
| 2019-14893 | 無信頼データのde-serialize脆弱性による 情報漏洩/改ざん、DoSの可能性 |
| 2020-8840 | 〃 |
| 2020-9546 | 〃 |
| 2020-9547 | 〃 |
| 2020-9548 | 〃 |
4. 上記3 CVEに対する java FasterXML でのチケットと修正ver
5. 上記3 CVEに対する 修正src コミット詳細
主要な修正src (中でも SubTypeValidator.java )
- jackson-databind/SubTypeValidator.java at 2.9 · FasterXML/jackson-databind · GitHub
- jackson-databind/AnnotationIntrospector.java at 2.9 · FasterXML/jackson-databind · GitHub
- jackson-databind/DeserializationFeature.java at 2.9 · FasterXML/jackson-databind · GitHub
- jackson-databind/Module.java at 2.9 · FasterXML/jackson-databind · GitHub
- jackson-databind/ObjectMapper.java at 2.9 · FasterXML/jackson-databind · GitHub
v2.9.9.3→v2.9.10
Comparing jackson-databind-2.9.9.3...jackson-databind-2.9.10 · FasterXML/jackson-databind · GitHub
- Fix #2410 #2420 · FasterXML/jackson-databind@d4983c7 · GitHub
- Merge branch '2.8' into 2.9 · FasterXML/jackson-databind@0b887a0 · GitHub
- Observe the FAIL_ON_MISSING_EXTERNAL_TYPE_ID_PROPERTY when using crea… · FasterXML/jackson-databind@a66f16f · GitHub
- Fix #2450 (javadoc) · FasterXML/jackson-databind@7991da9 · GitHub
- Fix #2449 · FasterXML/jackson-databind@73c1c2c · GitHub
- Merge branch '2.8' into 2.9 · FasterXML/jackson-databind@e239b0d · GitHub
- Fix #2460 · FasterXML/jackson-databind@191a4cd · GitHub
- Merge branch '2.8' into 2.9 · FasterXML/jackson-databind@29a76b2 · GitHub
- Actual #2462 fix (prev commit only updates release notes) · FasterXML/jackson-databind@41b7f9b · GitHub
- Merge branch '2.8' into 2.9 (fix #2462) · FasterXML/jackson-databind@819cdbc · GitHub
- Fix #2469 · FasterXML/jackson-databind@998efd7 · GitHub
- Merge branch '2.8' into 2.9 · FasterXML/jackson-databind@fb620ef · GitHub
v2.9.10→v2.9.10.3
Comparing jackson-databind-2.9.10...jackson-databind-2.9.10.3 · FasterXML/jackson-databind · GitHub
- Fix #2478 (cve) · FasterXML/jackson-databind@9593e16 · GitHub
- Merge branch '2.8' into 2.9 · FasterXML/jackson-databind@e6cb875 · GitHub
- Complete #2478 fix · FasterXML/jackson-databind@328a0f8 · GitHub
- Merge branch '2.8' into 2.9 · FasterXML/jackson-databind@ad77f05 · GitHub
- Fix #2498 · FasterXML/jackson-databind@b5a304a · GitHub
- Merge branch '2.8' into 2.9 · FasterXML/jackson-databind@e099ae0 · GitHub
- Fix #2526 · FasterXML/jackson-databind@fc4214a · GitHub
- Merge branch '2.8' into 2.9 · FasterXML/jackson-databind@3cc3b01 · GitHub
- Fix #2544 · FasterXML/jackson-databind@d33730c · GitHub
- Add a test (passing in 2.9, failin 2.10) for #2576 · FasterXML/jackson-databind@a4bdcef · GitHub
- Fix #2620 · FasterXML/jackson-databind@914e7c9 · GitHub
- Merge branch '2.8' into 2.9 · FasterXML/jackson-databind@865dc7d · GitHub
v2.9.10.3→v2.9.10.4
- Backport 6 CVE fixes from 2.8 (now up to 2.9.10[.1] set, similar to 2… · FasterXML/jackson-databind@3c95106 · GitHub
- .. actually, here is the merging of those half a dozen of CVEs, not p… · FasterXML/jackson-databind@bbdbc40 · GitHub
- Fixing issues #2631 and #2634 · FasterXML/jackson-databind@9f4e970 · GitHub
- Fix #2642 · FasterXML/jackson-databind@4d038c9 · GitHub
- Fix #2648 · FasterXML/jackson-databind@9bdc373 · GitHub
- Fix #2526 · FasterXML/jackson-databind@eb25481 · GitHub
- Fix #2620 · FasterXML/jackson-databind@9bb52c7 · GitHub
- Fixing issues #2631 and #2634 · FasterXML/jackson-databind@1e64db6 · GitHub
- Fix #2642 · FasterXML/jackson-databind@6ba4845 · GitHub
- Fix #2648 · FasterXML/jackson-databind@3240cab · GitHub
- Merge branch '2.7' into 2.8 · FasterXML/jackson-databind@4e0c38c · GitHub
- Javadoc error fixes · FasterXML/jackson-databind@2a73f08 · GitHub
- Merge branch '2.8' into 2.9 · FasterXML/jackson-databind@9ea232b · GitHub
- Fix #2653 · FasterXML/jackson-databind@82d5d10 · GitHub
- Fix #2658 · FasterXML/jackson-databind@a424c03 · GitHub
- Fix #2659 · FasterXML/jackson-databind@592872f · GitHub
- Fix #2660 · FasterXML/jackson-databind@1645efb · GitHub
- Fix #2662, #2664, #2666 · FasterXML/jackson-databind@05d7e0e · GitHub
- Further additions wrt #2664 · FasterXML/jackson-databind@c14c9f9 · GitHub
- Fix #2670 · FasterXML/jackson-databind@e2ba12d · GitHub
- Fix #2680 · FasterXML/jackson-databind@113e89f · GitHub
- Fix #2682 · FasterXML/jackson-databind@77040d8 · GitHub
