-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DOMDeserializer
: setExpandEntityReferences(false) may not prevent external entity expansion in all cases [CVE-2020-25649]
#2589
Comments
First of all, thank you for reporting this security concern. One quick note/question: you should not enable validation, since that would basically require expansion -- you can not do that, and it is not something Jackson itself sets. Aside from that, I'll see if adding missing settings from the list of 3 mentioned is safe wrt JDK baselines Jackson expects. |
Ok so specifically while other 2 settings are already applied, this could be added:
It is not entirely risk-free change, actually, since it does not only block entity expansion that we want, but also outlaws use of One more setting that could be considered, from the linked-to page, would be:
which I'll probably add too. |
DOMDeserializer
: setExpandEntityReferences(false) may not prevent external entity expansion in all cases
This problem was assigned following vuln id: CVE-2020-25649 |
DOMDeserializer
: setExpandEntityReferences(false) may not prevent external entity expansion in all casesDOMDeserializer
: setExpandEntityReferences(false) may not prevent external entity expansion in all cases [CVE-2020-25649]
Update: backported in potential future versions:
(in addition to being included in 2.11.0 and later) |
@cowtowncoder |
@nloke No immediate plan; it might be that no full 2.10.6 will be released but 2.10.5.1 for databind. And if so, would probably want to do around same time as 2.9.10.7 (the last micro-patch for 2.9, as 2.9 goes EOL by end of 2020). |
Hello, is there a planned date for 2.10.6 or 2.10.5.1 with the above fix? |
@sourabhsparkala due to variability in time I have for development and all related tasks, I typically do not set out dates for various releases. This is relatively low priority thing for me because it's just a single fix and while there's cve id registered it seems unlikely to be exploitable by anybody. But I will go ahead and create a separate issue for that micro-patch so I won't forget. Maybe I'll get patch out by November -- main limitation is that I will not want to release any more versions of 2.10.x and after this patch will probably close 2.10 branch for good. 2.11.x has been out for a while, and 2.12.0 should be out in November. |
@cowtowncoder now that 2.12.0 is out, when can we expect 2.10.5.1? Apologies if this is already being considered. |
Yes, #2920 is on my todo list after blogging about 2.12.0 release. |
Updated notes above: now fix included in:
|
I am confused is this fixed in 2.11.0 or 2.12.0? Because Sonatype is reporting this as a security vulnerability in 2.11.0 still? |
As per description:
https://github.com/FasterXML/jackson-databind/blob/master/src/main/java/com/fasterxml/jackson/databind/ext/DOMDeserializer.java#L30
and
https://github.com/FasterXML/jackson-databind/blob/master/src/main/java/com/fasterxml/jackson/databind/ext/DOMDeserializer.java#L33
is not enough to stop expansion of entities. Depending on provider(xerces) being used it might work with current DOMDeserializer or not. If JDK default is used(at least one that I used at time of test), it wont allow to expand entities, however, if other provider from classpath is used it might, for instance, xerces-2.12.... does allow( iirc) expansion.
Reference: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxp-documentbuilderfactory-saxparserfactory-and-dom4j
I tinkered a bit with databind classes and I had something like:
The text was updated successfully, but these errors were encountered: