Uploaded image for project: 'Spring AMQP'
  1. Spring AMQP
  2. AMQP-747

Jackson ClassMapper implementations are vulnerable for the CVE-2017-4995

    Details

    • Type: Defect
    • Status: Closed
    • Priority: Minor
    • Resolution: Complete
    • Affects Version/s: 2.0 M4, 1.6.10, 1.7.3
    • Fix Version/s: 2.0 M5, 1.6.11, 1.7.4
    • Component/s: Core
    • Labels:

      Activity

      Hide
      grussell Gary Russell added a comment -

      I don't think this is a problem, since we don't enable default typing...

      @Test
      public void test() throws Exception {
      	ObjectMapper mapper = new ObjectMapper();
      	mapper.enableDefaultTyping(ObjectMapper.DefaultTyping.NON_FINAL, JsonTypeInfo.As.PROPERTY);
      	String json = new String(mapper.writeValueAsBytes(new Bar()));
      	System.out.println(json);
      	mapper = new ObjectMapper();
      	System.out.println(mapper.readValue(json, Object.class).getClass());
      }
       
      public static class Bar {
       
      	private String baz = "qux";
       
      	public String getBaz() {
      		return this.baz;
      	}
       
      	public void setBaz(String baz) {
      		this.baz = baz;
      	}
       
      }
      

      {"@class":"org.springframework.amqp.rabbit.support.Foo$Bar","baz":"qux"}
      class java.util.LinkedHashMap
      

      @Test
      public void test() throws Exception {
      	ObjectMapper mapper = new ObjectMapper();
      	mapper.enableDefaultTyping(ObjectMapper.DefaultTyping.NON_FINAL, JsonTypeInfo.As.PROPERTY);
      	String json = new String(mapper.writeValueAsBytes(new Bar()));
      	System.out.println(json);
      //	mapper = new ObjectMapper(); // so we use the one with typing enabled
      	System.out.println(mapper.readValue(json, Object.class).getClass());
      }
      

      {"@class":"org.springframework.amqp.rabbit.support.Foo$Bar","baz":"qux"}
      class org.springframework.amqp.rabbit.support.Foo$Bar
      

      Show
      grussell Gary Russell added a comment - I don't think this is a problem, since we don't enable default typing... @Test public void test() throws Exception { ObjectMapper mapper = new ObjectMapper(); mapper.enableDefaultTyping(ObjectMapper.DefaultTyping.NON_FINAL, JsonTypeInfo.As.PROPERTY); String json = new String(mapper.writeValueAsBytes( new Bar())); System.out.println(json); mapper = new ObjectMapper(); System.out.println(mapper.readValue(json, Object. class ).getClass()); }   public static class Bar {   private String baz = "qux" ;   public String getBaz() { return this .baz; }   public void setBaz(String baz) { this .baz = baz; }   } {"@class":"org.springframework.amqp.rabbit.support.Foo$Bar","baz":"qux"} class java.util.LinkedHashMap @Test public void test() throws Exception { ObjectMapper mapper = new ObjectMapper(); mapper.enableDefaultTyping(ObjectMapper.DefaultTyping.NON_FINAL, JsonTypeInfo.As.PROPERTY); String json = new String(mapper.writeValueAsBytes( new Bar())); System.out.println(json); // mapper = new ObjectMapper(); // so we use the one with typing enabled System.out.println(mapper.readValue(json, Object. class ).getClass()); } {"@class":"org.springframework.amqp.rabbit.support.Foo$Bar","baz":"qux"} class org.springframework.amqp.rabbit.support.Foo$Bar
      Hide
      abilan Artem Bilan added a comment -

      But we do this:

      String typeIdHeader = retrieveHeaderAsString(properties, getClassIdFieldName());
      

      So, we extract the target type for the body from the associated headers in the incoming message.
      Or I just don't understand that vulnerability properly...

      Show
      abilan Artem Bilan added a comment - But we do this: String typeIdHeader = retrieveHeaderAsString(properties, getClassIdFieldName()); So, we extract the target type for the body from the associated headers in the incoming message. Or I just don't understand that vulnerability properly...
      Hide
      grussell Gary Russell added a comment -

      Ah; ok; so we need to check the header value against a white list; it's not mapper internals.

      Got it.

      Show
      grussell Gary Russell added a comment - Ah; ok; so we need to check the header value against a white list; it's not mapper internals. Got it.

        People

        • Assignee:
          abilan Artem Bilan
          Reporter:
          abilan Artem Bilan
        • Votes:
          0 Vote for this issue
          Watchers:
          2 Start watching this issue

          Dates

          • Created:
            Updated:
            Resolved: