[SPARK-36134] jackson-databind RCE vulnerability - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Task
Status: Resolved
Priority: Major
Resolution: Invalid
Affects Version/s: 3.1.2, 3.1.3
Fix Version/s: None
Component/s: Java API
Labels:
None

External issue URL:
https://blog.nsfocusglobal.com/threats/vulnerability-analysis/jackson-databind-rce-vulnerability-handling-guide-cve-2017-17485/

Description

Need to upgrade jackson-databind version to 2.9.3.1

At the beginning of 2018, jackson-databind was reported to contain another remote code execution (RCE) vulnerability (CVE-2017-17485) that affects versions 2.9.3 and earlier, 2.7.9.1 and earlier, and 2.8.10 and earlier. This vulnerability is caused by jackson-dababind’s incomplete blacklist. An application that uses jackson-databind will become vulnerable when the enableDefaultTyping method is called via the ObjectMapper object within the application. An attacker can thus compromise the application by sending maliciously crafted JSON input to gain direct control over a server. Currently, a proof of concept (POC) exploit for this vulnerability has been publicly available. All users who are affected by this vulnerability should upgrade to the latest versions as soon as possible to fix this issue.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

Screenshot 2021-07-15 at 1.00.55 PM.png
15/Jul/21 05:19
339 kB
Sumit

Activity

People

Assignee:: Unassigned

Reporter:: Sumit

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 14/Jul/21 06:50

Updated:: 19/Jul/21 08:14

Resolved:: 19/Jul/21 08:14