Jackson Databind vulnerability

[johanandren]

There are a couple of quite serious vulnerabilities (potentially remote code execution) in jackson-databind:

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15095 - fixed in 2.8.10, 2.9.1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17485 - fixed in 2.8.10, 2.9.3
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7525 - fixed in 2.6.7.1, 2.7.9.1 and 2.8.9

Among the Alpakka modules older versions are pulled in (directly or transitively) by:

• kinesis - 2.6.7.1
• elastic search - 2.9.1
• geode - 2.9.2
• orientdb - 2.6.0
• s3 - 2.6.7.1
• sns - 2.6.7.1
• sqs - 2.6.7.1
• awslambda - 2.6.7.1
• dynamodb - 2.6.7.1

I think all these needs to be updated

[takezoe]

I investigated the status of Jackson dependency in each connector. The summary is as follows:

elasticsearch

Upgraded in #804

kinesis, s3, sns, sqs, awslambda, dynamodb

Jackson dependency in these connectors are comming from aws-sdk-java. I sent a pull request to aws-sdk-java to upgrade Jackson: https://github.com/aws/aws-sdk-java/pull/1480

However aws-sdk-java have to support Java 6 and some of fixes for Jackson vulnerabilities have not been backported to Jackson 2.6.x which is for Java 6. Hence, we might have to overwrite Jackson dependency in Alpakka side.

azure-storage-queue

Same as aws-sdk-java in the point of Java 6 support. I created an issue instead of sending a pull request: https://github.com/Azure/azure-storage-java/issues/264

geode

Jackson was upgraded in develop branch recently: https://github.com/apache/geode/commit/c076bef6471f43e227531c4829dd90b32931dd23#diff-1fa89afcc2bb350e76df4a548d82c912R46 We can wait for the next geode release.

orientdb

I sent a pull request to orientdb repository: https://github.com/orientechnologies/orientdb/pull/8118

Note: orientdb has dependency to blueprints and blueprints has a dependency to old version of Jackson. But I guess it will be evicted by the latest version of Jackson if above pull request is merged.

[ennru]

Great investigation work @takezoe ! Thank you.

[cowtowncoder]

Since the vulnerability (all cves listed rely on one main mechanism) is not widely understood (although reports do usually explain the general idea), I wrote:

https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

and from that one suggestion I would make is to ensure that Default Typing is not enabled by default. It is not enabled by default for new ObjectMappers, and frameworks/libs should not enable it for untrusted content. This prevents all above problems as well as possibly unknown future ones.

I realize that many automated CVE/vulnerability checkers only have binary yes/no condition based on versions (which is unfortunate) so version upgrades are often necessary just to be safe.

[takezoe]

Status updated:

kinesis, s3, sns, sqs, awslambda, dynamodb

Pull request has been rejected to keep Java 6 support, but aws-sdk-java-v2 seems to use newer version of Jackson. Maybe we should switch to that (in the future).

Upgrading to AWS SDK2 has been discussed in #372.

orientdb

Pull request has been merged. We can wait for the next release.

[takezoe]

@cowtowncoder I think possibility of being actually affected by Jackson's vulnerabilities is not so high in Alpakka (and a lot of other Java softwares). However I also think upgrading dependent libraries is a good habit bascally. In particular, foundation libraries have a possibility to make a large impact because they are used from a lot of other softwares.

[cowtowncoder]

@takezoe yes absolutely upgrade makes sense, I fully agree. I just wanted link some more information on sec vuln itself.

[ennru]

AWS SDK 2.5.20 has upgraded those dependencies to com.fasterxml.jackson.core jackson-databind 2.9.8 so AWS Lambda, SQS and SNS are from this vulnerability.

[ennru]

With #1777 merged all connectors are on Jackson Databind 2.9.9.

[ennru]

Closing this for the upcoming release.