java-driver-core 4.7.2 depends on older versions of Jackon-databind that contains security vulnerabilities

Description

Customer states

We are using Spring Boot microservice. In this service we access DSE Graph database. In our pom.xml, we are using following dependencies. Our Security scanning system informs critical vulnerabilities in DSE jar files downloaded by Maven for these dependencies. This blocks our deployment. We need technical support to use proper dependencies in pom.xml.

Dependencies used for Datastax connectivity

Jackson-databind Vulnerabilities

snippet of the pom content

<dependency>

<groupId>com.datastax.oss</groupId>

<artifactId>java-driver-core</artifactId>

<version>4.7.2</version>

<dependency>

<dependency>
<groupId>com.datastax.dse</groupId>
<artifactId>dse-java-driver-graph</artifactId>
<version>1.9.0</version>
</dependency>

<dependency>
<groupId>io.dropwizard.metrics</groupId>
<artifactId>metrics-core</artifactId>
<version>3.2.2</version>
</dependency>

The vulnerabilities found are

CVE-2020-9546
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).

CVE-2020-9547
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).

CVE-2020-9548
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).

CVE-2020-11619 (This applies to Spring AOP. So that might be something they need to look at because they use Spring (not sure if they use AOP jars or not). But that's not driver related)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop)

CVE-2020-11620
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).

CVE-2019-14379
SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.

CVE-2019-14540
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.

CVE-2019-14892
A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary cod

CVE-2019-14893
A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.

CVE-2019-16335
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.

CVE-2019-17267
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.

CVE-2019-20330
https://nvd.nist.gov/vuln/detail/CVE-2019-20330
This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis which may result in further changes to the information provided.
https://access.redhat.com/security/cve/cve-2019-20330
asterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.

From the #drivers slack channel (https://datastax.slack.com/archives/C173WTDT4/p1594227185197200) we think the dependencies came from the dse-java-driver-graph version 1.9.0 artifact. The above are all from older versions of jackson-databind.

Creating this JIRA to

  • track the investigation whether any of the vulnerabilities are in the DSE execution path

  • find workaround

  • provide a fix

Environment

None

Pull Requests

None

Activity

Show:
Erik Merkle
July 9, 2020, 3:58 AM

First, as of 4.4.0, all of the DSE specific functionality has been merged into the single unified driver, there is no need to pull in any DSE specific graph modules. Second, DSE driver 1.9 is based on the old 3.x OSS driver series. Including both dependencies will likely cause problems at some point as they depend on different versions of the same libraries.

So why are they including both the 1.9.0 DSE graph module and the 4.7.2 Driver?

Johnny Mon
July 9, 2020, 7:22 PM

Yes, they don’t need to use the 1.9 graph module. I think they got the sample code somewhere and thought they had to include the graph module. They confirm they want to use the core 4.7.2.

I updated the title of the Jira to reflect the new/correct problem statement.

In the webEx session today we tried using core 4.7.2 only and still got dependencies to jackson-databind 2.9.10.1 due to Gremlin Core 3.4.5.

DSE core 4.7.2 -> Gremlin Core 3.4.5
https://mvnrepository.com/artifact/com.datastax.oss/java-driver-core/4.7.2

Gremlin Core 3.4.5 -> Gremlin-shaded 3.4.5
https://mvnrepository.com/artifact/org.apache.tinkerpop/gremlin-core/3.4.5

Gremlin-shaded 3.4.5 -> com.fasterxml.jackson.core » jackson-databind (optional) 2.9.10.11
(https://mvnrepository.com/artifact/org.apache.tinkerpop/gremlin-shaded/3.4.5)

Can we check the above if these are applicable to DSE?

Erik Merkle
July 14, 2020, 8:04 PM

Java driver core version 4.7.2 declares an explicit dependency on Jackson Databind version 2.11.0, which is not vulnerable to any of the listed CVEs. If an application depends on this version of driver core, version 2.11.0 of Jackson Databind is what will be used. Below is the dependency tree output for the core module:

mvn dependency:tree

The vulnerable version of Jackson Databind (2.9.10.1 according to Maven Central here) is declared as an optional dependency for gremlin-shaded version 3.4.5. Unless your application explicitly declares version 2.9.10.1 of Databind, and does so ahead of the driver dependency, you won't get that version as the 2.11.0 version the driver already declares will supersede it.

The listed CVEs are all about "gadgets" which is essentially ways of instantiating classes from JSON, where the objects constructed could be malicious, if you are using Jackson Databind's JSON mapper functionality, which the driver does not use. There is some more info about how these exploits in general here: https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062. So in most cases, even if the driver were using a vulnerable version of Databind, it still wouldn't be exploitable in the driver, as the mapping to/from JSON is not used in the driver.

Also, the CVEs listed mention specific gadgets that are in other libraries that the driver does not use (things like HikariConfig, JtaTransactionConfig, AnterosDBCPConfig, etc.). Again, even if the driver were using a vulnerable version of Databind, and if the driver were using JSON mapping, the driver still wouldn't be vulnerable as it doesn't try to use any of those classes.

All that said, I'm not sure how the security scan is being performed. It appears the scan is looking at every transitive dependency of every dependency the driver has, not simply the effective classpath of the application using the driver. If that is the case, the scan is being too aggressive and flagging issues that are not really present.

Erik Merkle
July 14, 2020, 8:11 PM

Closing this as I've hopefully explained why this isn't an issue for the driver.

Erik Merkle
July 15, 2020, 1:48 PM

Re-opening this ticket as my explanation was wrong. The gremlin-shaded artifact actually shades the vulnerable Jackson Databind library (deeper investigation done by . We will amend this ticket to get the right fix ASAP.

Fixed

Assignee

Alexandre Dutra

Reporter

Johnny Mon

Labels

None

PM Priority

None

Reproduced in

None

Affects versions

None

Fix versions

Pull Request

None

Doc Impact

None

Size

None

External issue ID

None

External issue ID

None

Sprint

Java 4.x

Priority

Major
Configure