Jack databind jar file vulnerability

Hi all,

Iam using elasitcsearch 6.1.4 with SG 22.3. Iam trying to patch the following vulnerability

2 CVE-2018-19362 502 2019-01-02 2019-05-07 7.5 None Remote Low Not required Partial Partial Partial
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.

Has anyone tried with 2.9.8 jar? Would it be compatible with Searchguard 22.3?

Thanks
Rajesh.

According to Block more classes from polymorphic deserialization (CVE-2018-14718 - CVE-2018-14721) · Issue #2097 · FasterXML/jackson-databind · GitHub CVE-2018-19362 is fixed with jackson databind 2.8.11.3 incorporated already with https://github.com/floragunncom/search-guard-enterprise-modules/commit/7ccfb604b02fc5a7b6b8e7e450b60323da461249

I replaced 2.8.x with 2.9.8 in search guard(22.3) zip file. Seems to work fine.

btw, this commit is not available for ES 6.1.4. Is it better to patch with 2.8.11.3 than 2.9.8?

I’d go with 2.8.11.3

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.