False positive: CVE-2017-17485 detected for fixed Jackson-databind

[runeflobakk]

jackson-databind-2.7.9.2

False positive on library jackson-databind-2.7.9.2.jar - reported as cpe:/a:fasterxml:jackson:2.7.9.2, cpe:/a:fasterxml:jackson-databind:2.7.9.2, com.fasterxml.jackson.core:jackson-databind:2.7.9.2

<dependency>
    <groupId>com.fasterxml.jackson.core</groupId>
    <artifactId>jackson-databind</artifactId>
    <version>2.7.9.2</version>
</dependency>

The CVE-2017-17485 vulnerability is fixed in:

• Jackson-databind version 2.9.3.1
• Jackson-databind version 2.7.9.2
• Jackson-databind version 2.8.11

https://blog.nsfocusglobal.com/threats/vulnerability-analysis/jackson-databind-rce-vulnerability-handling-guide-cve-2017-17485/

[jeremylong]

We use the data from the NVD which still states everything prior to 2.8.11 is vulnerable. You can see this in the NVD entry CVE-2017-17485. Additionally, take a look at one of jackson-databind developers comments on the issue FasterXML/jackson-databind#1855 (comment)...

[strackam]

Hello,
Using the maven plugin, no CVE are reported for jackson-databind version 2.9.3 or 2.9.2.
Nor CVE-2017-17485 or CVE-2018-5968 appears.
But they appears in jackson-databind is in v2.8.10.
Regarding these CVE details, it should also appears from 2.9.0 to 2.9.3, no ?

[jeremylong]

Unfortunately, we have been relying on the information in the XML data feeds from NIST. For CVE-2018-5968 they provide:

<entry id="CVE-2018-5968">
    <vuln:vulnerable-configuration id="http://nvd.nist.gov/">
      <cpe-lang:logical-test operator="OR" negate="false">
        <cpe-lang:fact-ref name="cpe:/a:fasterxml:jackson-databind:2.8.11"/>
      </cpe-lang:logical-test>
    </vuln:vulnerable-configuration>
    <vuln:vulnerable-software-list>
      <vuln:product>cpe:/a:fasterxml:jackson-databind:2.8.11</vuln:product>
    </vuln:vulnerable-software-list>
...

However, if you look at the JSON data feed the include the additional information:

    "configurations" : {
      "CVE_data_version" : "4.0",
      "nodes" : [ {
        "operator" : "OR",
        "cpe" : [ {
          "vulnerable" : true,
          "cpe22Uri" : "cpe:/a:fasterxml:jackson-databind",
          "cpe23Uri" : "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*",
          "versionEndIncluding" : "2.8.11"
        }, {
          "vulnerable" : true,
          "cpe22Uri" : "cpe:/a:fasterxml:jackson-databind",
          "cpe23Uri" : "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*",
          "versionStartIncluding" : "2.9.0",
          "versionEndIncluding" : "2.9.3"
        } ]
      } ]
    }

Switching to the JSON data feeds will require several updates - within dependency-check but appears imparative as the NVD data is much more robust in the JSON feed. I had previously been hesitant as the JSON feed is still labeled as beta and a change by the NVD could cause all instances of ODC to fail...

[stevespringett]

@jeremylong Dependency-Track has been using the beta JSON feed exclusively since May 2017. I've only had to make a single change (in August 2017) to fix the parser to work with changes made to the beta feed. Dependency-Track doesn't use the XML feeds.

For reference, this is the NvdParser that Dependency-Track uses.

[jeremylong]

With the switch to the json data feeds in 5.0.0-M1 this issue was resolved.