Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Block one more gadget type (logback, CVE-2019-14439) #2389

Closed
cowtowncoder opened this issue Jul 24, 2019 · 8 comments
Closed

Block one more gadget type (logback, CVE-2019-14439) #2389

cowtowncoder opened this issue Jul 24, 2019 · 8 comments
Labels
CVE Issues related to public CVEs (security vuln reports)
Milestone

Comments

@cowtowncoder
Copy link
Member

cowtowncoder commented Jul 24, 2019

Another gadget type report regarding logback/JNDI.

Mitre id: CVE-2019-14439
Reporter: [email protected] (Badcode of Knownsec 404 Team)


Fixed in:

  • 2.9.10
  • 2.8.11.4
  • 2.7.9.6
  • 2.6.7.3
@cowtowncoder cowtowncoder added ACTIVE CVE Issues related to public CVEs (security vuln reports) labels Jul 24, 2019
@jdelta-RBS
Copy link

Similar to #2341 and others? -_-

@cowtowncoder
Copy link
Member Author

@jdelta-RBS yup, same old shite.

cowtowncoder added a commit that referenced this issue Jul 26, 2019
@cowtowncoder cowtowncoder changed the title Placeholder for another "default typing" CVE Block one more gadget type (CVE-2019-14361) Jul 30, 2019
@cowtowncoder cowtowncoder added this to the 2.9.9.2 milestone Jul 30, 2019
cowtowncoder added a commit that referenced this issue Jul 30, 2019
@carnil
Copy link

carnil commented Jul 30, 2019

Is this the correct CVE? According to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439 CVE-2019-14439 was assigned for this issue.

@cowtowncoder
Copy link
Member Author

cowtowncoder commented Jul 30, 2019

I don't know. I guess this is downside of my not requesting CVE IDs -- looks like we now have TWO cve ids for same thing. :-/

Will the real CVE-for-logback please stand up?

@cowtowncoder cowtowncoder changed the title Block one more gadget type (CVE-2019-14361) Block one more gadget type (logback, CVE-2019-14361) Jul 30, 2019
@cowtowncoder cowtowncoder changed the title Block one more gadget type (logback, CVE-2019-14361) Block one more gadget type (logback, CVE-2019-14361 / CVE-2019-14439) Jul 30, 2019
@carnil
Copy link

carnil commented Jul 31, 2019 via email

@cowtowncoder
Copy link
Member Author

Thank you.

@nluedtke
Copy link

nluedtke commented Aug 2, 2019

CVE-2019-14361 was rejected. Update the title to prevent confusion?

@cowtowncoder cowtowncoder changed the title Block one more gadget type (logback, CVE-2019-14361 / CVE-2019-14439) Block one more gadget type (logback CVE-2019-14439) Aug 2, 2019
@cowtowncoder
Copy link
Member Author

Done. Will need to try to hunt down refs in other places now.

scottfrederick pushed a commit to spring-cloud/spring-cloud-connectors that referenced this issue Aug 5, 2019
Updated jackson-databind version to 2.9.9.2 which contains fix for:
- [CVE-2019-14379](FasterXML/jackson-databind#2387)
- [CVE-2019-14361 / CVE-2019-14439](FasterXML/jackson-databind#2389)
@cowtowncoder cowtowncoder changed the title Block one more gadget type (logback CVE-2019-14439) Block one more gadget type (logback, CVE-2019-14439) Sep 12, 2019
ablekhman added a commit to atlassian/jackson-1 that referenced this issue Oct 23, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
CVE Issues related to public CVEs (security vuln reports)
Projects
None yet
Development

No branches or pull requests

4 participants