Skip to content

Block more classes from polymorphic deserialization (CVE-2018-19360, CVE-2018-19361, CVE-2018-19362) #2186

New issue
New issue
Closed
Closed
Block more classes from polymorphic deserialization (CVE-2018-19360, CVE-2018-19361, CVE-2018-19362)#2186
Labels
CVEIssues related to public CVEs (security vuln reports)
Milestone
2.9.8
@cowtowncoder

Description

@cowtowncoder
cowtowncoder
opened on Nov 18, 2018

This issue covers following CVEs related to polymorphic deserialization, gadgets:

CVE-2018-19360 (axis2-transport-jms)
CVE-2018-19361 (openjpa)
CVE-2018-19362 (jboss-common-core)

See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.

Original vulnerability discoverer:
吴桂雄 Wuguixiong

Fixed in:

  • 2.9.8 and later
  • 2.8.11.3
  • 2.7.9.5
  • 2.6.7.3

Metadata

Metadata

Assignees

No one assigned

    Labels

    CVEIssues related to public CVEs (security vuln reports)

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions