Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Block one more gadget type (HikariCP, CVE-2019-14540) #2410

Closed
iSafeBlue opened this issue Aug 6, 2019 · 8 comments
Closed

Block one more gadget type (HikariCP, CVE-2019-14540) #2410

iSafeBlue opened this issue Aug 6, 2019 · 8 comments
Labels
CVE Issues related to public CVEs (security vuln reports)
Milestone
2.9.10

Comments

@iSafeBlue
Copy link

iSafeBlue commented Aug 6, 2019
edited by cowtowncoder
Loading

Another gadget (*) type report regarding HikariConfig, via HikariDataSource

Mitre id: CVE-2019-14540
Reporter: iSafeBlue / blue at ixsec.org

(*) See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for more on general problem type

Fixed in:

  • 2.9.10
  • 2.8.11.5
  • 2.6.7.3
  • does not affect 2.10.0 and later
@Ramos-dev
Copy link

it also work find on fastjson.

@cowtowncoder
Copy link
Member

Thank you for the report -- I got the email and had a look at linked to explanation.
Seems legit.

@jdelta-RBS
Copy link

maybe this one will get 3 CVEs : )

@cowtowncoder cowtowncoder added 2.8 CVE Issues related to public CVEs (security vuln reports) labels Aug 9, 2019
@cowtowncoder
Copy link
Member

Block added, will be included in:

  • 2.9.10
  • 2.10.0.pr2 (and final 2.10.0)

also backported in 2.8 branch but not sure if any more releases for 2.8 will be made.

@cowtowncoder cowtowncoder added 2.9 and removed 2.8 labels Aug 9, 2019
@cowtowncoder cowtowncoder modified the milestones: 2.9.1, 2.9.10 Aug 9, 2019
@laszlovandenhoek laszlovandenhoek mentioned this issue Sep 6, 2019
Merged
@cowtowncoder cowtowncoder changed the title Block one more gadget type (CVE-2019-14540) Block one more gadget type (HikariCP, CVE-2019-14540) Sep 16, 2019
@cowtowncoder cowtowncoder mentioned this issue Sep 16, 2019
Closed
marco-schmidt added a commit to marco-schmidt/am that referenced this issue Sep 18, 2019
@marco-schmidt
upgrade jackson-databind because of security issues
9a566b5 
CVE-2019-16335 FasterXML/jackson-databind#2449
CVE-2019-14540 FasterXML/jackson-databind#2410
@OrangeDog
Copy link

When is 2.9.10 being released?
Looks like another repeat of the delay on the previous security fixes.

@cowtowncoder
Copy link
Member

@OrangeDog 2.9.10 will be released after 2.10.0, likely in 2 weeks.

@cowtowncoder cowtowncoder mentioned this issue Sep 19, 2019
Closed
@jordandev
Copy link

No 2.9.9.4 micro patch for this?

@cowtowncoder
Copy link
Member

Nope.

ryber added a commit to Kong/unirest-java that referenced this issue Sep 21, 2019
@ryber
tmp ignore these CVEs until jackson releases the patches: FasterXML/j…
0a4474d 
…ackson-databind#2410
@ryber ryber mentioned this issue Sep 21, 2019
Closed
@jdelta-RBS jdelta-RBS mentioned this issue Sep 24, 2019
Closed
@sseide sseide mentioned this issue Sep 27, 2019
Merged
2 tasks
@iperdomo iperdomo mentioned this issue Oct 22, 2019
Closed
iperdomo added a commit to iperdomo/cheshire that referenced this issue Oct 22, 2019
@iperdomo
[dakrone#155] Update Jackson to 2.9.10
473e93a 
FasterXML/jackson-databind#2410
FasterXML/jackson-databind#2449
@iperdomo iperdomo mentioned this issue Oct 22, 2019
Closed
ablekhman added a commit to atlassian/jackson-1 that referenced this issue Oct 23, 2019
@ablekhman
Block one more gadget type (HikariCP, CVE-2019-14540)
f48b85e 
Merged from FasterXML/jackson-databind#2410
Merged
4 tasks
@padma81 padma81 mentioned this issue Jul 28, 2020
Closed
@sijie sijie mentioned this issue Jul 28, 2020
Open
@krystofNovotny krystofNovotny mentioned this issue Feb 5, 2021
Open
This was referenced May 10, 2022
Open
Open
Closed
@scott-cx scott-cx mentioned this issue Aug 1, 2022
Open
@cxronen cxronen mentioned this issue Sep 20, 2022
Open
@margaritalm margaritalm mentioned this issue Dec 25, 2022
Open
@cxronen cxronen mentioned this issue Apr 13, 2023
Open
@cxronen cxronen mentioned this issue May 25, 2023
Open
@cxronen cxronen mentioned this issue May 25, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CVE Issues related to public CVEs (security vuln reports)
Projects
None yet
Milestone
2.9.10
Development

No branches or pull requests
6 participants
@cowtowncoder @OrangeDog @jordandev @iSafeBlue @Ramos-dev @jdelta-RBS