Block two more gadget types (commons-configuration/-2)

[ybhou1993]

Another gadget (*) type report regarding a class of commons-configuration (and later commons-configuration2) package(s)

Mitre id: not yet allocated
Reporter: @ybhou1993

Fixed in:

• 2.9.10 and later
• 2.8.11.5
• 2.6.7.3
• does not affect 2.10.0 and later

---

(*) See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for more on general problem type

[cowtowncoder]

Of these 4 classes (and dependencies), 2 are already blocked:

• OracleManagedConnectionFactory (via Block one more gadget type (oracle-jdbc, CVE-2018-12023) #2058 )
• HikariConfig (via Block one more gadget type (HikariCP, CVE-2019-14540) #2410

but remaining two

• commons-configration 1.9, class org.apache.commons.configuration.JNDIConfiguration
• xalan 2.7.2, class org.apache.xalan.lib.sql.JNDIConnectionPool

are not yet blocked. So anyone with time could have a look -- and if no one else does, I'll eventually have a look. Methods as mentioned can not be triggered by Jackson databind, but in many existing cases methods get called as a side effect so that alone does not necessarily mean they are not gadget types.

[melloware]

Since you mentioned commons config 1.9 you might also want to block commons-configuration2 which is a different class.

org.apache.commons.configuration2.JNDIConfiguration

[ybhou1993]

Of these 4 classes (and dependencies), 2 are already blocked:

• OracleManagedConnectionFactory (via Block one more gadget type (oracle-jdbc, CVE-2018-12023) #2058 )
• HikariConfig (via Block one more gadget type (HikariCP, CVE-2019-14540) #2410

but remaining two

• commons-configration 1.9, class org.apache.commons.configuration.JNDIConfiguration
• xalan 2.7.2, class org.apache.xalan.lib.sql.JNDIConnectionPool

are not yet blocked. So anyone with time could have a look -- and if no one else does, I'll eventually have a look. Methods as mentioned can not be triggered by Jackson databind, but in many existing cases methods get called as a side effect so that alone does not necessarily mean they are not gadget types.

@cowtowncoder Please ensure 2.9.10 also blocked these gadgets

[cowtowncoder]

I'd prefer a proof-of-concept showing how these could be used: I agree there is potential, but something to indicate actual mechanism (but if so, send email via fasterxml.com).

[ybhou1993]

I'd prefer a proof-of-concept showing how these could be used: I agree there is potential, but something to indicate actual mechanism (but if so, send email via fasterxml.com).

I agree what you said. Besides, I wonder to know if 2.9.10 version would be released in mid-October or later?

[ybhou1993]

I'd prefer a proof-of-concept showing how these could be used: I agree there is potential, but something to indicate actual mechanism (but if so, send email via fasterxml.com).

I have send a email to info@fasterxml.com. The article is written in Chinese, published in a china security community

[cowtowncoder]

I hope 2.9.10 can released early in October, in first part. I just want to wait for 2.10.0 to get out first.
Thank you for sending more details, that should be helpful.