Block more classes from polymorphic deserialization (CVE-2018-14718 - CVE-2018-14721)

[cowtowncoder]

This issue covers following CVEs related to polymorphic deserialization, gadgets:

• CVE-2018-14718: RCE with slf4j-ext jar
• CVE-2018-14719: RCE with blaze-ds-opt, -core jars
• CVE-2018-14720: exfiltration/XXE with only JDK classes (some JDK versions)
• CVE-2018-14721: exfiltration/SSRF with axis2-jaxws

Original vulnerability discoverer:
吴桂雄 Wuguixiong

---

Fixed in:

• 2.9.7 and later
• 2.8.11.3
• 2.7.9.5
• 2.6.7.3

[bbossola]

When is the release of 2.8.11.3, with this fix, planned?

[bbossola]

bump :)

[cowtowncoder]

@bbossola I don't know. Question here is whether I'd release it now, or wait for another 4 classes that I know need to be blocked. Given there are 100+ dependencies for 2.8.11.2 there does seem to be demand for patches (which is sort of positive surprise).

[cowtowncoder]

Fix released on 23-Nov-2018, in:

• 2.7.9.5 (micro-patch of jackson-databind)
• 2.8.11.3 (micro-patch of jackson-databind, plus jackson-bom version 2.8.11.20181123 )

and will be included in 2.9.8 as soon as that gets released (full release along with other fixes)

[cedricdangremont]

@cowtowncoder.
when checking the archive for 2.6.7.2, I can see the content of the commit 87d29af which fixes the issue. Anyways, when I check the next releases (2.7.9.5, 2.8.11.3, 2.9.8), I don't find the associated code. In these versions the complete static initializer part containing the fix is missing.
Are these versions really fixed?
Thanks in advance.