Camunda Springboot Rest - Security Vulnerability on jackson-databind dependency

Hi Community,

I created Camunda Webapp and Restapp using spring boot starter dependencies and bundled into war and deployed to Liberty server. They are working fine. But when we run a Nexus IQ scan on the project, it reported below security vulnerability on jackson-databind dependency as camunda springboot starter rest uses this dependency.

“jackson-databindis vulnerable to Remote Code Execution (RCE). ThecreateBeanDeserializer()function in theBeanDeserializerFactory` class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.”

Could someone please help us know if Camunda has any plans to fix this issue or any counter measures are already implemented?

Suggested workaround by Nexus IQ is not to use the default typing by explicitly setting objectmapper.disableDefaultTyping. Is there any way to implement this?

Thanks in Advance,

Hi Ravitheja,

Yes, we are aware of this. The latest Camunda patches (released last Friday) ship jackson-databind version and we are already aware that there is another release that fixes a couple more vulnerabilities, for which we will build another set of patches this month.

Note that in the case of Camunda Spring Boot Starter, the Jackson dependency primarily comes via Spring Boot, however the latest Spring Boot version 2.1.6 only comes with Jackson 2.9.9. In that case, we recommend to manually override the jackson-databind version to the currently latest version ( Note that based on Upgrade to Jackson · Issue #17698 · spring-projects/spring-boot · GitHub, this may or may not be trivial. Once there is a new Spring Boot release, we will release a patch for the Spring Boot Starter accordingly.

That’s unfortunately not as easy. I think the best workaround option is to avoid having the exploitable gadgets not on the classpath, e.g. in the case of NVD - CVE-2019-12384, make sure you do not use logback-core.