Fix vulnerable jackson-databind dependency

[mejo123]

Blackduck scanning reported a critical vulnerability in the jackson-databind version used here, The recommendation was to move ahead to version 2.10.0. the said vulnerability is explained here :

The vulnerability issues are reported by CVE-2018-11307; CVE-2018-12022; CVE-2018-12023.
Can you fix it in next release?

Details:
[CVE-2018-11307 Vulnerability Issue CVE-2018-11307 Severity- Sonatype CVSS 3.0- 6.3 Weakness- Sonatype CWE- 502 Source- National Vulnerability Database Categories- Data Description Description from CVE jackson-databind - Information Exposure via Deserialization \nExplanation- jackson-databind is vulnerable to Information Exposure via Deserialization of Untrusted Data. The validateSubType__ function in the SubTypeValidator class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object which will result in the exfiltration of sensitive information if the application attempts to deserialize it. Note- This vulnerability exists due to the incomplete fix for CVE-2017-7525 CVE-2017-15095 CVE-2017-17485 CVE-2018-5968 and CVE-2018-7489. Detection- The application is vulnerable by using this component when default typing is enabled and passing in untrusted data to be deserialized. Note- Spring Security has provided their own fix for this vulnerability _ CVE-2017-4995 . If this component is being used as part of Spring Security then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x. Recommendation- There is no non vulnerable version of this component. Despite there being a fix provided by Jackson it uses a black-list approach. If there is another class not black-listed which performs deserialization on the classpath then this may lead to code execution. We recommend investigating alternative components or a potential mitigating control. Workaround- Do not use the default typing. Instead you will need to implement your own. It is also possible to customize global defaulting using ObjectMapper.setDefaultTyping…_ – you just have to implement your own TypeResolverBuilder which is not very difficult; and by doing so can actually configure all aspects of type information. Builder itself is just a short-cut for building actual handlers. Reference- https-//github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization Examples of implementing your own typing can be found by looking at Spring Security_s fix or this Stack Overflow article . Root Cause- org.wso2.carbon.apimgt.rest.api.admin-6.4.40.war \n * jackson-databind-2.9.5.jar \n * SubTypeValidator.class - [2.9.5 2.9.6_ org.wso2.carbon.apimgt.rest.api.admin-6.4.40.war \n * jackson-databind-2.9.5.jar \n * SubTypeValidator.class - [2.9.5 2.9.6_ org.wso2.carbon.apimgt.rest.api.admin-6.4.40.war \n * jackson-databind-2.9.5.jar \n * SubTypeValidator.class - [2.9.5 2.9.6_ org.wso2.carbon.apimgt.rest.api.admin-6.4.40.war \n * jackson-databind-2.9.5.jar \n * SubTypeValidator.class - [2.9.5 2.9.6_ \nAdvisories- Project- https-//github.com//issues/2032 CVSS Details Sonatype CVSS 3.0- 6.3 ] ____________________ [CVE-2018-12022 Vulnerability Issue CVE-2018-12022 Severity- Sonatype CVSS 3.0- 8.5 Weakness- Sonatype CWE- 502 Source- National Vulnerability Database Categories- Data Description Description from CVE jackson-databind - Remote Code Execution (RCE) \nExplanation- jackson-databind is vulnerable to Remote Code Execution RCE. The validateSubType__ function in the SubTypeValidator class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it. Note- This vulnerability exists due to the incomplete fix for CVE-2017-7525 CVE-2017-15095 CVE-2017-17485 CVE-2018-5968 and CVE-2018-7489. Detection- The application is vulnerable by using this component when default typing is enabled and passing in untrusted data to be deserialized. Note- Spring Security has provided their own fix for this vulnerability _ CVE-2017-4995 . If this component is being used as part of Spring Security then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x. Recommendation- There is no non vulnerable version of this component. Despite there being a fix provided by Jackson it uses a black-list approach. If there is another class not black-listed which performs deserialization on the classpath then this may lead to code execution. We recommend investigating alternative components or a potential mitigating control. Workaround- Do not use the default typing. Instead you will need to implement your own. It is also possible to customize global defaulting using ObjectMapper.setDefaultTyping…_ – you just have to implement your own TypeResolverBuilder which is not very difficult; and by doing so can actually configure all aspects of type information. Builder itself is just a short-cut for building actual handlers. Reference- https-//github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization Examples of implementing your own typing can be found by looking at Spring Security_s fix or this Stack Overflow article . Root Cause- org.wso2.carbon.apimgt.rest.api.admin-6.4.40.war \n * jackson-databind-2.9.5.jar \n * SubTypeValidator.class - [2.9.5 2.9.6_ org.wso2.carbon.apimgt.rest.api.admin-6.4.40.war \n * jackson-databind-2.9.5.jar \n * SubTypeValidator.class - [2.9.5 2.9.6_ org.wso2.carbon.apimgt.rest.api.admin-6.4.40.war \n * jackson-databind-2.9.5.jar \n * SubTypeValidator.class - [2.9.5 2.9.6_ org.wso2.carbon.apimgt.rest.api.admin-6.4.40.war \n * jackson-databind-2.9.5.jar \n * SubTypeValidator.class - [2.9.5 2.9.6_ \nAdvisories- Project- https-//github.com//issues/2052 CVSS Details Sonatype CVSS 3.0- 8.5 ] ____________________ [CVE-2018-12023 Vulnerability Issue CVE-2018-12023 Severity- Sonatype CVSS 3.0- 8.5 Weakness- Sonatype CWE- 502 Source- National Vulnerability Database Categories- Data Description Description from CVE jackson-databind - Remote Code Execution (RCE) \nExplanation- jackson-databind is vulnerable to Remote Code Execution RCE. The validateSubType__ function in the SubTypeValidator class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it. Note- This vulnerability exists due to the incomplete fix for CVE-2017-7525 CVE-2017-15095 CVE-2017-17485 CVE-2018-5968 and CVE-2018-7489. Detection- The application is vulnerable by using this component when default typing is enabled and passing in untrusted data to be deserialized. Note- Spring Security has provided their own fix for this vulnerability _ CVE-2017-4995 . If this component is being used as part of Spring Security then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x. Recommendation- There is no non vulnerable version of this component. Despite there being a fix provided by Jackson it uses a black-list approach. If there is another class not black-listed which performs deserialization on the classpath then this may lead to code execution. We recommend investigating alternative components or a potential mitigating control. Workaround- Do not use the default typing. Instead you will need to implement your own. It is also possible to customize global defaulting using ObjectMapper.setDefaultTyping…_ – you just have to implement your own TypeResolverBuilder which is not very difficult; and by doing so can actually configure all aspects of type information. Builder itself is just a short-cut for building actual handlers. Reference- https-//github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization Examples of implementing your own typing can be found by looking at Spring Security_s fix or this Stack Overflow article . Root Cause- org.wso2.carbon.apimgt.rest.api.admin-6.4.40.war \n * jackson-databind-2.9.5.jar \n * SubTypeValidator.class - [2.9.5 2.9.6_ org.wso2.carbon.apimgt.rest.api.admin-6.4.40.war \n * jackson-databind-2.9.5.jar \n * SubTypeValidator.class - [2.9.5 2.9.6_ org.wso2.carbon.apimgt.rest.api.admin-6.4.40.war \n * jackson-databind-2.9.5.jar \n * SubTypeValidator.class - [2.9.5 2.9.6_ org.wso2.carbon.apimgt.rest.api.admin-6.4.40.war \n * jackson-databind-2.9.5.jar \n * SubTypeValidator.class - [2.9.5 2.9.6_ \nAdvisories- Project- https-//github.com//issues/2058 CVSS Details Sonatype CVSS 3.0- 8.5 ] ____________________

[Alex-Vol-SV]

I will do ASAP.

[mejo123]

@Alex-Vol-SV I have already fixed the vulnerability and submitted a PR. Please Review.

[Alex-Vol-SV]

Added to master and will be released shortly