Skip to content

Block one more gadget type (oracle-jdbc, CVE-2018-12023) #2058

New issue
New issue
Closed
Closed
Block one more gadget type (oracle-jdbc, CVE-2018-12023)#2058
Labels
CVEIssues related to public CVEs (security vuln reports)
Milestone
2.9.6
@cowtowncoder

Description

@cowtowncoder
cowtowncoder
opened on Jun 8, 2018

There is a potential remote code execution (RCE) vulnerability, if user is

  1. handling untrusted content (where attacker can craft JSON)
  2. using "Default Typing" feature (or equivalent; polymorphic value with base type of java.lang.Object
  3. has oracle JDBC driver jar in classpath
  4. allows connections from service to untrusted hosts (where attacker can run an LDAP service)

(note: steps 1 and 2 are common steps as explained in https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)

To solve the issue, 2 types from JDBC driver are blacklisted to avoid their use as "serialization gadgets".

Original vulnerability discoverer:
吴桂雄 Wuguixiong

Fixed in:

  • 2.9.6 and later
  • 2.8.11.2
  • 2.7.9.4
  • 2.6.7.3

Metadata

Metadata

Assignees

No one assigned

    Labels

    CVEIssues related to public CVEs (security vuln reports)

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions