Jackson dependency subject to CVE-2016-3720

[walteryoung]

Description

docker-client 8.4.0 uses a version of Jackson that is subject to a CVE. Information can be found here.

Additionally, there is a Medium severity issue with Rancher Labs.

How to reproduce

Build with a system that exposes CVEs. My organization builds with Jenkins, using a maven plugin that lists CVEs.

What do you expect

Use an updated version of Jackson that is not subject to the CVE.

What happened instead

CVE.

Software:

• Spotify's docker-client version: 8-4-0

Full backtrace

C:/tools/apache-maven-3.3.9/localRepository/com/fasterxml/jackson/module/jackson-module-jaxb-annotations/2.6.0/jackson-module-jaxb-annotations-2.6.0.jar , CVE-2016-3720 , Severity: High

XML external entity (XXE) vulnerability in XmlMapper in the Data format extension for Jackson (aka jackson-dataformat-xml) allows attackers to have unspecified impact via unknown vectors.

C:/tools/apache-maven-3.3.9/localRepository/com/spotify/docker-client/8.4.0/docker-client-8.4.0.jar , CVE-2017-7297 , Severity: Medium
Rancher Labs rancher server 1.2.0+ is vulnerable to authenticated users disabling access control via an API call. This is fixed in versions rancher/server:v1.2.4, rancher/server:v1.3.5, rancher/server:v1.4.3, and rancher/server:v1.5.3.

[mattnworb]

Can you share the name of the plugin that lists CVEs? Would like to know how to reproduce the output.

We use neither of the functionality mentioned, btw, and I'm not even sure what rancher-server is.

[walteryoung]

I will look into this more and provide more information tomorrow. Thanks!

[walteryoung]

@mattnworb, I looked into this some more. I am not an expert on our build system; I just know that we use jenkins and have a maven dependency checker-tool that scans for known CVEs. I will attach a screenshot below.

I'm still not sure where exactly the Rancher dependency is, but I did find the jackson one. docker-client directly references Jackson in the pom.xml file, as seen here:

<dependency>
      <groupId>com.fasterxml.jackson.jaxrs</groupId>
      <artifactId>jackson-jaxrs-json-provider</artifactId>
      <version>2.6.0</version>
    </dependency>
    <dependency>
      <groupId>com.fasterxml.jackson.datatype</groupId>
      <artifactId>jackson-datatype-guava</artifactId>
      <version>2.6.0</version>
    </dependency>
    <dependency>
      <groupId>com.fasterxml.jackson.core</groupId>
      <artifactId>jackson-databind</artifactId>
      <version>2.6.0</version>
    </dependency>

There are newer versions of those dependencies that are not subject to the vulnerabilities: https://search.maven.org/#search%7Cga%7C1%7Cjackson-jaxrs

Here is some more information about Rancher, it seems to be a container management tool: https://github.com/rancher/rancher

Finally, here is a screenshot of our CVE-checker. We do use jackson in some other parts of our project, but docker-client is the only dependency that uses the older 2.6 versions of Jackson. The first four links are all about Jackson, the 5th link is about Rancher labs. The remaining links are unrelated to docker-client.

Let me know if you need any more information! Thanks! I really appreciate your docker-client project.

[mattnworb]

Looks like there is also #467 for this same CVE with Jackson.

@walteryoung I'd love to know the name of the maven or Jenkins plugin that is generating that info, assuming it is open-source and not proprietary. We could then look at integrating it with the builds that Travis does for this repo.

[walteryoung]

@mattnworb

Here is a link to more information about the plugin. It looks like it is just a jenkins plug-in for OWASP Dependency-Check.

I saw issue 467 when I searched, but I wasn't sure if it was outdated or not. Thanks.

[rgrunber]

Using the dependency check would be nice, but as it was mentioned in issue #467 , this would seem to be a bit of a false positive. jackson-dataformat-xml (which contains XmlMapper) is not in use, and the library would probably have no need for it as the Remote API uses a JSON format.

On the other hand it could be argued that if this library existed in a larger ecosystem that required jackson-dataformat-xml (for other reasons), and if separate versions of jackson could not co-exist, then the current version promotes the vulnerability.

[mattnworb]

As far as I can tell, jackson-dataformat-xml is not even a transitive dependency of this project

[mattnworb]

$ git show-ref HEAD
f00168ec5c92e20272302415d70fb5633f655894 refs/remotes/origin/HEAD

$ mvn org.owasp:dependency-check-maven:check
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building docker-client 8.6.0-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- dependency-check-maven:1.4.5:check (default-cli) @ docker-client ---
[INFO] Checking for updates
[INFO] Skipping NVD check since last check was within 4 hours.
[INFO] Check for updates complete (2012 ms)
[INFO] Analysis Started
[INFO] Finished Archive Analyzer (0 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Jar Analyzer (1 seconds)
[INFO] Finished Central Analyzer (1 seconds)
[ERROR] ----------------------------------------------------
[ERROR] .NET Assembly Analyzer could not be initialized and at least one 'exe' or 'dll' was scanned. The 'mono' executable could not be found on the path; either disable the Assembly Analyzer or configure the path mono. On some systems mono-runtime and mono-devel need to be installed.
[ERROR] ----------------------------------------------------
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (2 seconds)
[INFO] Finished CPE Analyzer (3 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished Cpe Suppression Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Analysis Complete (9 seconds)
[WARNING]

One or more dependencies were identified with known vulnerabilities in docker-client:

jackson-core-2.6.0.jar (com.fasterxml.jackson.core:jackson-core:2.6.0, cpe:/a:fasterxml:jackson:2.6.0) : CVE-2016-7051
jackson-jaxrs-base-2.6.0.jar (com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:2.6.0, cpe:/a:fasterxml:jackson:2.6.0) : CVE-2016-7051, CVE-2016-3720


See the dependency-check report for more details.


[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 16.209 s
[INFO] Finished at: 2017-05-25T15:18:08-04:00
[INFO] Final Memory: 27M/780M
[INFO] ------------------------------------------------------------------------

[mattnworb]

note that CVE-2016-7051 and CVE-2016-3720 are both for XmlMapper. I don't think the class is included in either library, but I think it makes sense to upgrade Jackson anyway.

[mattnworb]

eh, org.owasp:dependency-check-maven:check flags jackson-core-2.8.6 as having CVE-2016-7051 too.

Seems like maybe the owasp tool, or this particular CVE writeup, is known to be too sensitive in regards to jackson: FasterXML/jackson-core#371