SECURITY VULNERABILITIES WITH jackson-databind-2.1.4.jar IN JASPER CE 6.1.0

0

SECURITY VULNERABILITIES WITH jackson-databind-2.1.4.jar IN JASPER CE 6.1.0

During the testing of jasperreports-server-cp, version 6.1.0  we found that it uses the library jackson-databind-2.1.4.jar which has the below mentioned vulnerabilities.

CVE-2019-12086 : A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. 
When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, 
the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, 
an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.
More details : 
https://nvd.nist.gov/vuln/detail/CVE-2019-12086 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086

CVE-2019-12814 : A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. 
When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, 
an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.
More details : 
https://nvd.nist.gov/vuln/detail/CVE-2019-12814
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12814

CVE-2019-12384 : FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. 
Depending on the classpath content, remote code execution may be possible.
More details : 
https://nvd.nist.gov/vuln/detail/CVE-2019-12384
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384

CVE-2019-14379: SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used, leading to remote code execution.
More details : 
https://nvd.nist.gov/vuln/detail/CVE-2019-14379
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14379

CVE-2019-14439 : A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. 
This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.
More details : 
https://nvd.nist.gov/vuln/detail/CVE-2019-14439
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439


Recommended upgrade is to use jackson-databind-2.9.9.3.jar or later.

 
We noticed that the latest version of the jasperreports-server-cp, version 7.2.0 also uses vulnerable jar jackson-databind-2.9.8.jar.

Hence currently there is NO jasper release that we can upgrade to (that addresses above issues).

Queries:

1) Are there any plans to upgrade the above vulnerable jar in the coming releases of the jasper reports server CE ?
 
2) Could you recommend any workaround to circumvent the security problems until the upgrade of jar happen ?

Have also sent a note to security@tibco.com regarding the above vulnerabilities.

akshaya_hebbar's picture
Joined: Jul 16 2019 - 2:53am
Last seen: 1 month 1 day ago

Refer to https://www.tibco.com/security

Resources

Security Advisories

TIBCO distributes information about security vulnerabilities and remediation in its products through security advisories.

Public Security Notices

TIBCO’s response to general publicly announced security issues can be found on our Public Notices page.

Security Policy, Practices and Processes

For details on TIBCO Security Policies, Practices and Processes please see the TIBCO Security Guidelines.

djohnson53 - 1 month 2 days ago

The answer given by swood_1 only applies to CVE-2019-14439.

Other vulnerabilities CVE-2019-12086, CVE-2019-12814, CVE-2019-12384, CVE-2019-14379 are still not answered.

Not getting an option to comment to his answer, so adding a comment here.

akshaya_hebbar - 1 month 1 day ago

Please refer to these resources.  As TIBCO employees, we are not at liberty to discuss these CVE's outside of these resources:

Security Advisories

TIBCO distributes information about security vulnerabilities and remediation in its products through security advisories.

Public Security Notices

TIBCO’s response to general publicly announced security issues can be found on our Public Notices page.

djohnson53 - 1 month 1 day ago

1 Answer:

0

[Updated] Don is correct. We cannot comment on security issues like CVEs, and cannot commit to fixes or timeframes.

 

 


 

swood_1's picture
604
Joined: Nov 15 2012 - 10:47am
Last seen: 7 hours 35 min ago
Feedback
randomness