Block one more gadget type (mysql, CVE-2019-12086)

[cowtowncoder]

A new gadget type (see https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062) was reported, and CVE id allocated was CVE-2019-12086.
CVE description is available at: https://nvd.nist.gov/vuln/detail/CVE-2019-12086 for full details, but the specific variation (in addition to needing "default typing", attacker being able to craft specific json message) is that:

• If service has jar mysql-connector-java in its classpath

vulnerability applies, and attacker is able to read arbitrary files from service's local file system.

Original vulnerability discoverer: 618 from College of software, Nankai University

---

Fixed in:

• 2.9.9 and later
• 2.8.11.4
• 2.7.9.6
• 2.6.7.3

[cowtowncoder]

Fixed this in2.9 (for 2.9.9) and backported in 2.8 as well in case 2.8.11.4 might be released (no plans at this point). Will be included in later versions like 2.10.0 and 3.0 as well.

[0x554simon]

Is this fix included in 2.9.9? I didn't find any information about this in Release note.

[cowtowncoder]

@0x554simon yes it is. Thank you for pointing out it was missing from release notes file, even tho it was included on release page (https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9)

[tcherel]

@cowtowncoder https://nvd.nist.gov/vuln/detail/CVE-2019-12086 is saying/suggesting that the vulnerability can be exploited only if the mysql-connector-java jar 8.0.14 or earlier is in the classpath.
But I do not see any differences between the com.mysql.cj.jdbc.admin.MiniAdmin class in the mysql-connector-java jar 8.0.14 or the latest one (8.0.16).

[cowtowncoder]

@tcherel I based CVE on report I received which seemed to indicate something had been fixed but I did not verify difference myself. So I wonder if original reporter included latest version that had the problem and assumed (or implied) that fix would be in next version?

[tcherel]

Thanks @cowtowncoder. Do you have an email or contact info that I can use to reach out to the original reporter?