akshaya_hebbar Posted September 16, 2019 Share Posted September 16, 2019 SECURITY VULNERABILITIES WITH jackson-databind-2.1.4.jar IN JASPER CE 6.1.0During the testing of jasperreports-server-cp, version 6.1.0 we found that it uses the library jackson-databind-2.1.4.jar which has the below mentioned vulnerabilities.CVE-2019-12086 : A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.More details : https://nvd.nist.gov/vuln/detail/CVE-2019-12086 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086CVE-2019-12814 : A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.More details : https://nvd.nist.gov/vuln/detail/CVE-2019-12814https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12814CVE-2019-12384 : FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.More details : https://nvd.nist.gov/vuln/detail/CVE-2019-12384https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384CVE-2019-14379: SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used, leading to remote code execution.More details : https://nvd.nist.gov/vuln/detail/CVE-2019-14379https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14379CVE-2019-14439 : A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.More details : https://nvd.nist.gov/vuln/detail/CVE-2019-14439https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439Recommended upgrade is to use jackson-databind-2.9.9.3.jar or later. We noticed that the latest version of the jasperreports-server-cp, version 7.2.0 also uses vulnerable jar jackson-databind-2.9.8.jar.Hence currently there is NO jasper release that we can upgrade to (that addresses above issues).Queries:1) Are there any plans to upgrade the above vulnerable jar in the coming releases of the jasper reports server CE ? 2) Could you recommend any workaround to circumvent the security problems until the upgrade of jar happen ?Have also sent a note to security@tibco.com regarding the above vulnerabilities. Link to comment Share on other sites More sharing options...
djohnson53 Posted September 16, 2019 Share Posted September 16, 2019 Refer to https://www.tibco.com/securityResourcesSecurity AdvisoriesTIBCO distributes information about security vulnerabilities and remediation in its products through security advisories.Public Security NoticesTIBCO’s response to general publicly announced security issues can be found on our Public Notices page.Security Policy, Practices and ProcessesFor details on TIBCO Security Policies, Practices and Processes please see the TIBCO Security Guidelines. Link to comment Share on other sites More sharing options...
Solution swood_1 Posted September 16, 2019 Solution Share Posted September 16, 2019 [updated] Don is correct. We cannot comment on security issues like CVEs, and cannot commit to fixes or timeframes. Link to comment Share on other sites More sharing options...
akshaya_hebbar Posted September 17, 2019 Author Share Posted September 17, 2019 The answer given by swood_1 only applies to CVE-2019-14439.Other vulnerabilities CVE-2019-12086, CVE-2019-12814, CVE-2019-12384, CVE-2019-14379 are still not answered.Not getting an option to comment to his answer, so adding a comment here. Link to comment Share on other sites More sharing options...
djohnson53 Posted September 17, 2019 Share Posted September 17, 2019 Please refer to these resources. As TIBCO employees, we are not at liberty to discuss these CVE's outside of these resources:Security AdvisoriesTIBCO distributes information about security vulnerabilities and remediation in its products through security advisories.Public Security NoticesTIBCO’s response to general publicly announced security issues can be found on our Public Notices page. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now