Shulou(Shulou.com)06/01 Report--

I had a rest two days ago, but there was a loophole at this time. I had a thump in my heart. I hope that bloggers who pay attention to it can pay attention to it.

1. Time:

2017-4-17

2. Loopholes:

Jackson framework Java deserializes remote code execution vulnerabilities. Jackson can easily convert Java objects into json objects and xml documents, as well as json and xml into Java objects.

3. Vulnerability analysis:

Jackson is an open source java serialization and deserialization tool framework that serializes java objects into strings in xml and json formats and the corresponding deserialization process. Because of its high parsing efficiency, it is currently a built-in parsing method in Spring MVC. The vulnerability is triggered when the enableDefaultTyping method is called before ObjectMapper deserialization. This method allows the class name of the deserialized java object to be specified in the json string, while deserialization vulnerabilities can be triggered when Object, Map, List, and so on.

4. Affect the version:

Jackson Version 2.7.*

< 2.7.10 Jackson Version 2.8.* < 2.8.9 5、漏洞来源：绿盟科技 国家信息安全漏洞共享平台（CNVD） 严重性：***者利用漏洞可在服务器主机上执行任意代码或系统指令，取得网站服务器的控制权。 6、修补方式： 更新到2.7.10或2.8.9版本（但官网目前我试过打不开，新版本并未更新） 手动修改2.7.*，2.8.*以及master分支的代码来防护该漏洞. 7、Github参考： https://github.com/FasterXML/jacksondatabind/commit/fd8dec2c7fab8b4b4bd60502a0f1d63ec23c24da 8、合作：运维排查，开发修改。 9、开发给的建议：

10. Reminder: pay attention to safety and be careful.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.