Block yet another gadget type (jdom, CVE-2019-12814)

[cowtowncoder]

Similar to other polymorphic types with no limits, but for XXE with jdom2.jar, tracked as CVE-2019-12814.

See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.

Fixed in:

• 2.9.10
• 2.8.11.4
• 2.7.9.6
• 2.6.7.3

[cowtowncoder]

Fixed in 2.7, 2.8, 2.9, 2.10 and master branches for likely release in 2.9.9.1 and 2.10.0.

[anthonymonori]

When can we expect a 2.9.9.1 release?

[volkert-fastned]

I appreciate the hard work being done by the jackson-databind developers, but 3 days later, I have to repeat @antalindisguise's question again: Why isn't 2.9.9.1 released yet? Those of us who use the OWASP Dependency Check plugin in our projects now have failing builds because of CVE-2019-12814, without a proper remedy. I really don't like adding a suppression for a legitimate security issue. 😕

[OrangeDog]

@volkert-fastned if it helps, you've had a legitimate security issue for ages already, you just didn't know about it until today. Plus, if you don't have JDOM then it would be a legitimate suppression,

[volkert-fastned]

@OrangeDog Thanks. I read it in the CVE description as well.

So when the following commands return no results, the project should be unaffected, correct?

# Maven project
mvn dependency:tree | grep -i jdom

# Gradle project
./gradlew dependencies | grep -i jdom