False positives for CVE-2016-3720 for several jackson libraries #517
Comments
|
Is the CVE limited to just Note that the issue seems limited to XML, yet I only use Jackson for JSON. |
|
As far as I understand the original Fedora bug report only the extension jackson-dataformat-xml is affected which must be be put explicitly on the classpath. |
|
In that case, isn't the CVE metadata incorrect? As long as it says |
|
That is correct Anthony. Though I'm not sure where to file a fix for CVE metadata, and if it would be fixed at all. I guess RedHat could be the contact here as the responsible CVE Numbering Authority. |
|
FYI, I've sent an email to RedHat security team. We'll see if I'm mistaken or if they can fix it. |
|
I raised a ticket for I also sent an email to [email protected] (after reading the FAQ) and they forwarded the issue to [email protected]. |
|
After thinking about this some more I believe we could use the following suppression rules to suppress the false positive for all except the Jackson-dataformat-xml: <?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
<suppress>
<notes><![CDATA[
file name: jackson-core-2.6.5.jar
]]></notes>
<gav regex="true">com\.fasterxml\.jackson\.core:jackson.*</gav>
<cve>CVE-2016-3720</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: jackson-core-2.6.5.jar
]]></notes>
<gav regex="true">com\.fasterxml\.jackson\.dataformat:jackson(?!\-dataformat\-xml).*</gav>
<cve>CVE-2016-3720</cve>
</suppress>
</suppressions> |
|
@awhitford , did you get any update over you e-mail? I am safely assuming that the vulnerability exists even with Jackson 2.7.4. Does anyone know the tentative timeline of the next Jackson version? |
|
The fix for this FP has been implemented in 1.4.5-SNAPSHOT and will be included in the next release. |
|
Jackson artifacts had different Maven coordinates earlier. I added the following suppression to handle those old artifacts with Dependency-Check 1.4.5. <suppress>
<notes><![CDATA[
https://github.com/jeremylong/DependencyCheck/issues/517
]]></notes>
<gav regex="true">org\.codehaus\.jackson:jackson-.*</gav>
<cve>CVE-2016-3720</cve>
</suppress>I am not aware which old artifact(s) corresponds to vulnerable |
|
Thanks - I did a little research and updated the regex to include the alternative group. |
|
Hi @jeremylong, ehcache-2.10.3.jar/rest-management-private-classpath/META-INF/maven/com.fasterxml.jackson.jaxrs/jackson-jaxrs-base/pom.xml (com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:2.3.3, cpe:/a:fasterxml:jackson:2.3.3) : CVE-2016-3720 I've locally updated the rule to exclude all sub-groups except dataformat: |
|
Apologies for commenting on a closed ticket, but since I had to send an update request for another related Jackson XML CVE I thought update might make sense. Jackson side issue for CVE-3720 is: FasterXML/jackson-dataformat-xml#190 and it was indeed fixed in There is a newer but similar CVE, 7051: http://www.cvedetails.com/cve/CVE-2016-7051/ which:
It also looks like description at mitre.org is too general as well, leading to false alarms: Similar to issue here. I suspect it might make sense to file a new issue, but thought maybe starting here would make most sense. |
|
It still fails with v2.0.1. Should I create a new ticket?
|
|
@nhenneaux see #792. |
|
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
CVE-2016-3270 is falsely reported for the following libraries and probably all other com.fasterxml.jackson libraries for all versions (e.g. [version] = 2.5.0, 2.5.4, 2.6.5)
Am I right that we can't use the CPE as an suppression rule here as that would exclude the vulnerable library jackson-dataformat-xml as well?
The text was updated successfully, but these errors were encountered: