CDH6.3.1集群修复Jackson-databind远程代码执行漏洞 CVE-2019-12384

系统环境

CentOS 7.7.1908
CDH 6.3.1
Jackson-databind 2.9.8/2.9.9/2.9.9.3

漏洞描述

【CVE】
CVE-2019-12384
【漏洞描述】
由于Jackson黑名单过滤不完整而导致,当开发人员在应用程序中通过ObjectMapper对象调用enableDefaultTyping方法时,程序就会受到此漏洞的影响,攻击者就可利用构造的包含有恶意代码的json数据包对应用进行攻击,直接获取服务器控制权限。
【受影响版本】
Jackson-databind < 2.6.7.3 ,2.7.0 - 2.7.9.5 , 2.8.0 - 2.8.11.3 , 2.9.0 - 2.9.9.3
【升级建议】
1.该漏洞,漏洞修复后需要服务重启,建议业务不繁忙时修复。
下载更新:https://github.com/FasterXML/jackson-databind/releases
2.请参考Maven中的升级方法升级到 2.6.7.3、2.7.9.6、2.8.11.4、2.9.10及以上最新版本修复该漏洞。

修复过程

  1. 使用find命令查找系统Jackson-databind包
    find / -name “jackson-databind*”
  2. 编写修复脚本,由于jackson-databind关联的包比较多,为防止依赖风险,需要将其他jackson包都升级至2.9.10,jackson-databind升级至2.9.10.3, 具体脚本如下所示:
#!/bin/bash
########################################
#    upgrade jackson-databind version  #
#    write by BertramLAU               #
#    v1.0                              #
########################################

#define package versions
OLD_VERSION="2.9.8"
NEW_MAIN_VERSION="2.9.10"
NEW_MINUS_VERSION="2.9.10.3"
MAIN_PACKAGE="jackson"


CDH_COMMON_JARS_PATH="/opt/cloudera/cm/common_jars"
CLOUDERA_NAVIGATOR_SERVER_CDH5_JARS_PATH="/opt/cloudera/cm/cloudera-navigator-server/libs/cdh5"
CLOUDERA_NAVIGATOR_SERVER_CDH6_JARS_PATH="/opt/cloudera/cm/cloudera-navigator-server/libs/cdh6"
CLOUDERA_NAVIGATOR_SERVER_JARS_PATH="/opt/cloudera/cm/cloudera-navigator-server/jars"
CLOUDERA_SCM_TELEPUB_JARS_PATH="/opt/cloudera/cm/cloudera-scm-telepub/jars"
CLOUDERA_NAVIGATOR_AUDIT_SERVER_JARS_PATH="/opt/cloudera/cm/cloudera-navigator-audit-server"
CDH_LIB_PATH="/opt/cloudera/cm/lib"
CDH_JARS_PATH="/opt/cloudera/parcels/CDH-6.3.1-1.cdh6.3.1.p0.1470567/jars"

CDH_ROOT_LIB_PATH="/opt/cloudera/parcels/CDH-6.3.1-1.cdh6.3.1.p0.1470567/lib"
CDH_FLINK_ROOT_LIB_PATH="/opt/cloudera/parcels/FLINK-1.9.0-csa1.0.0.0-cdh6.3.0/lib"
FLINK_LIB_PATH="flink/lib"


HBASE_SOLR_PATH="hbase-solr/lib"
KITE_LIB_PATH="kite/lib"
SENTRY_LIB_PATH="sentry/lib"
OOZIE_LIBTOOLS_PATH="oozie/libtools"
OOZIE_EMBEDDED_OOZIE_SERVER_PATH="oozie/embedded-oozie-server/webapp/WEB-INF/lib"
OOZIE_SHARELIB_YARN_HIVE_PATH="oozie/oozie-sharelib-yarn/lib/hive"
OOZIE_SHARELIB_YARN_SPARK_PATH="oozie/oozie-sharelib-yarn/lib/spark"
OOZIE_SHARELIB_YARN_SQOOP_PATH="oozie/oozie-sharelib-yarn/lib/sqoop"
OOZIE_SHARELIB_YARN_PIG_PATH="oozie/oozie-sharelib-yarn/lib/pig"
OOZIE_SHARELIB_YARN_HIVE2_PATH="oozie/oozie-sharelib-yarn/lib/hive2"
OOZIE_SHARELIB_YARN_HCATALOG_PATH="oozie/oozie-sharelib-yarn/lib/hcatalog"
OOZIE_SHARELIB_YARN_GIT_PATH="oozie/oozie-sharelib-yarn/lib/git"

OOZIE_LIB_PATH="oozie/lib"
SEARCH_LIB_SEARCH_CRUNCH_PATH="search/lib/search-crunch"
SEARCH_LIB_PATH="search/lib"

HIVE_LIB_PATH="hive/lib"
SOLR_SERVER_LIB_EXT_PATH="solr/server/lib/ext"
SOLR_SERVER_WEBAPP_PATH="solr/server/solr-webapp/webapp/WEB-INF/lib"
FLUME_NG_LIB_PATH="flume-ng/lib"
KAFKA_LIBS_PATH="kafka/libs"
SPARK_JARS_PATH="spark/jars"
SQOOP_LIB_PATH="sqoop/lib"
PIG_LIB_PATH="pig/lib"
PIG_LIB_SPARK_PATH="pig/lib/spark"
IMPALA_LIB_PATH="impala/lib"
HBASE_LIB_PATH="hbase/lib"
HADOOP_YARN_LIB_PATH="hadoop-yarn/lib"
HADOOP_HDFS_LIB_PATH="hadoop-hdfs/lib"
HADOOP_CLIENT_PATH="hadoop/client"
HADOOP_LIB_PATH="hadoop/lib"
PARQUET_LIB_PATH="parquet/lib"

#define the old version paths 
#for 2.9.8
TARGET_PATHS=(
    $CLOUDERA_NAVIGATOR_SERVER_CDH5_JARS_PATH
    $CLOUDERA_NAVIGATOR_SERVER_CDH6_JARS_PATH
    $CLOUDERA_NAVIGATOR_SERVER_JARS_PATH
    $CLOUDERA_SCM_TELEPUB_JARS_PATH
    $CLOUDERA_NAVIGATOR_AUDIT_SERVER_JARS_PATH
    $CDH_LIB_PATH
)

#for 2.9.9
NEW_TARGET_PATHS=(
    "$CDH_ROOT_LIB_PATH/$HBASE_SOLR_PATH"
    "$CDH_ROOT_LIB_PATH/$KITE_LIB_PATH"
    "$CDH_ROOT_LIB_PATH/$SENTRY_LIB_PATH"
    "$CDH_ROOT_LIB_PATH/$HADOOP_YARN_LIB_PATH"
    "$CDH_ROOT_LIB_PATH/$HADOOP_HDFS_LIB_PATH"
    "$CDH_ROOT_LIB_PATH/$HADOOP_LIB_PATH"
    "$CDH_ROOT_LIB_PATH/$HADOOP_CLIENT_PATH"
    "$CDH_ROOT_LIB_PATH/$PARQUET_LIB_PATH"
    "$CDH_ROOT_LIB_PATH/$OOZIE_LIBTOOLS_PATH" 
    "$CDH_ROOT_LIB_PATH/$OOZIE_EMBEDDED_OOZIE_SERVER_PATH"
    "$CDH_ROOT_LIB_PATH/$OOZIE_SHARELIB_YARN_HIVE_PATH"
    "$CDH_ROOT_LIB_PATH/$OOZIE_SHARELIB_YARN_SPARK_PATH"
    "$CDH_ROOT_LIB_PATH/$OOZIE_SHARELIB_YARN_SQOOP_PATH"
    "$CDH_ROOT_LIB_PATH/$OOZIE_SHARELIB_YARN_PIG_PATH"
    "$CDH_ROOT_LIB_PATH/$OOZIE_SHARELIB_YARN_HIVE2_PATH"
    "$CDH_ROOT_LIB_PATH/$OOZIE_SHARELIB_YARN_HCATALOG_PATH"
    "$CDH_ROOT_LIB_PATH/$OOZIE_SHARELIB_YARN_GIT_PATH"
    "$CDH_ROOT_LIB_PATH/$OOZIE_LIB_PATH"
    "$CDH_ROOT_LIB_PATH/$SEARCH_LIB_SEARCH_CRUNCH_PATH"
    "$CDH_ROOT_LIB_PATH/$SEARCH_LIB_PATH"
    "$CDH_ROOT_LIB_PATH/$HIVE_LIB_PATH"
    "$CDH_ROOT_LIB_PATH/$IMPALA_LIB_PATH"
    "$CDH_ROOT_LIB_PATH/$SOLR_SERVER_LIB_EXT_PATH"
    "$CDH_ROOT_LIB_PATH/$SOLR_SERVER_WEBAPP_PATH"
    "$CDH_ROOT_LIB_PATH/$FLUME_NG_LIB_PATH"
    "$CDH_ROOT_LIB_PATH/$KAFKA_LIBS_PATH"
    "$CDH_ROOT_LIB_PATH/$SPARK_JARS_PATH"
    "$CDH_ROOT_LIB_PATH/$PIG_LIB_PATH"
    "$CDH_ROOT_LIB_PATH/$PIG_LIB_SPARK_PATH"
    "$CDH_ROOT_LIB_PATH/$SQOOP_LIB_PATH"
    "$CDH_ROOT_LIB_PATH/$HBASE_LIB_PATH"
    "$CDH_FLINK_ROOT_LIB_PATH/$FLINK_LIB_PATH"
)

declare -A PACKAGE_SUBPATH_DICT
declare -A PACKAGE_VERSION_DICT
PACKAGE_SUBPATH_DICT=([jackson-dataformat-csv]="dataformat" [jackson-dataformat-xml]="dataformat" [jackson-dataformat-yaml]="dataformat" [jackson-module-jsonSchema]="module" [jackson-dataformat-cbor]="dataformat" [jackson-dataformat-smile]="dataformat" [jackson-datatype-joda]="datatype" [jackson-datatype-jdk8]="datatype" [jackson-jaxrs-base]="jaxrs" [jackson-annotations]="core" [jackson-jaxrs-json-provider]="jaxrs" [jackson-core]="core" [jackson-module-jaxb-annotations]="module" [jackson-module-mrbean]="module" [jackson-module-paranamer]="module" [jackson-module-scala_2.11]="module" [jackson-databind]="core")

PACKAGE_VERSION_DICT=([jackson-dataformat-csv]=$NEW_MAIN_VERSION [jackson-dataformat-xml]=$NEW_MAIN_VERSION [jackson-dataformat-smile]=$NEW_MAIN_VERSION [jackson-dataformat-yaml]=$NEW_MAIN_VERSION [jackson-module-paranamer]=$NEW_MAIN_VERSION [jackson-module-scala_2.11]=$NEW_MAIN_VERSION [jackson-datatype-jdk8]=$NEW_MAIN_VERSION [jackson-datatype-joda]=$NEW_MAIN_VERSION [jackson-jaxrs-base]=$NEW_MAIN_VERSION [jackson-module-jsonSchema]=$NEW_MAIN_VERSION [jackson-dataformat-cbor]=$NEW_MAIN_VERSION [jackson-annotations]=$NEW_MAIN_VERSION [jackson-jaxrs-json-provider]=$NEW_MAIN_VERSION [jackson-core]=$NEW_MAIN_VERSION [jackson-module-jaxb-annotations]=$NEW_MAIN_VERSION [jackson-module-mrbean]=$NEW_MAIN_VERSION [jackson-databind]=$NEW_MINUS_VERSION)


PACKAGE_NAMES=(
    jackson-dataformat-csv
    jackson-dataformat-cbor
    jackson-dataformat-yaml
    jackson-dataformat-xml
    jackson-dataformat-smile
    jackson-datatype-joda
    jackson-datatype-jdk8
    jackson-module-jsonSchema
    jackson-jaxrs-base
    jackson-jaxrs-json-provider
    jackson-annotations
    jackson-core
    jackson-module-jaxb-annotations
    jackson-module-mrbean
    jackson-module-paranamer
    jackson-module-scala_2.11
    jackson-databind
)

#1. download jackson jars from maven source
Download(){
    echo "Begin download packages from maven repo"
    for PACKAGE in "${PACKAGE_NAMES[@]}"; do
        SUBPATH=${PACKAGE_SUBPATH_DICT[$PACKAGE]}
        PACKAGE_VERSION=${PACKAGE_VERSION_DICT[$PACKAGE]}
        DOWNLOAD_URL="https://repo1.maven.org/maven2/com/fasterxml/$MAIN_PACKAGE/$SUBPATH/$PACKAGE/$PACKAGE_VERSION/$PACKAGE-$PACKAGE_VERSION.jar"
        #for 2.9.8
        #FILE_FULLPATH="$CDH_COMMON_JARS_PATH/$PACKAGE-$PACKAGE_VERSION.jar"
        #for 2.9.9
        FILE_FULLPATH="$CDH_JARS_PATH/$PACKAGE-$PACKAGE_VERSION.jar"
        if [ -f "$FILE_FULLPATH" ]; then
    	    echo "$FILE_FULLPATH exists, no need download"
        else 
            echo "begin donwload $PACKAGE from URL: $DOWNLOAD_URL"
            wget $DOWNLOAD_URL -O $FILE_FULLPATH
            chmod 755 $FILE_FULLPATH
        fi
    done
    echo "Finished download packages from maven repo"
}
#2. create links to new version jars
CreateLink2NewVersion(){
    #echo "Begin create the new links to CDH_COMMON_JARS_PATH"
    echo "Begin create the new links to CDH_JARS_PATH"
    for PACKAGE in "${PACKAGE_NAMES[@]}"; do
        #for 2.9.8
        #for TGT_PATH in "${TARGET_PATHS[@]}"; do
        for TGT_PATH in "${NEW_TARGET_PATHS[@]}"; do
            PACKAGE_VERSION=${PACKAGE_VERSION_DICT[$PACKAGE]}
            NEW_LINK_FILE="$TGT_PATH/$PACKAGE-$PACKAGE_VERSION.jar"
            NEW_SRC_FILE="$CDH_JARS_PATH/$PACKAGE-$PACKAGE_VERSION.jar"
            if [ -h "$NEW_LINK_FILE" ]; then
                echo "link file:$NEW_LINK_FILE has created!"
            else
                echo "create soft link from $NEW_LINK_FILE to $NEW_SRC_FILE"
	        if [ -f "$NEW_SRC_FILE" ];then
                    ln -s $NEW_SRC_FILE $NEW_LINK_FILE
                else
                    echo "src file:$NEW_SRC_FILE not exist! cannot create soft link"
                fi
                if [ -h "$NEW_LINK_FILE" ]; then
                    echo "create soft link successed!"
                else
                    echo "create soft link failed!"
                fi
            
            fi 
        done      
    done
    echo "Finished create the new links to CDH_COMMON_JARS_PATH"
}


#3. remove links to old version jars
Unlink2OldVersion(){
    echo "Begin remove the old version links"
    for PACKAGE in "${PACKAGE_NAMES[@]}"; do
        declare -a TARGET_DIRS
        TARGET_DIRS=("${NEW_TARGET_PATHS[@]}")
        if [ $OLD_VERSION == "2.9.8" ];then
            TARGET_DIRS=(${TARGET_PATHS[@]})
        fi
        for TGT_PATH in "${TARGET_DIRS[@]}"; do
            OLD_LINK_FILE="$TGT_PATH/$PACKAGE-$OLD_VERSION.jar"
            if [ -h "$OLD_LINK_FILE" ]; then
    	        unlink "$OLD_LINK_FILE"
            else
                echo "unlink failed!link file:$OLD_LINK_FILE not exists!"
            fi
        done 
    done
    echo "Finished remove the old version links"
}

Unlink2NewVersion(){
    echo "Begin remove the new version links"
    for PACKAGE in "${SHIRO_PACKAGE_NAMES[@]}"; do
        NEW_LINK_FILE="$IMPALA_JARS_PATH/$PACKAGE-$NEW_VERSION.jar"
        if [ -h "$NEW_LINK_FILE" ]; then
            unlink "$IMPALA_JARS_PATH/$PACKAGE-$NEW_VERSION.jar"
        else
            echo "unlink failed!link file:$NEW_LINK_FILE not exists!"
        fi
    done
    echo "Finished remove the new version links"
}

#4. delete the old version files
RemoveOLDVersionFILE(){
    echo "Begin clean up the old version files from $CDH_COMMON_JARS_PATH"
    for PACKAGE in "${PACKAGE_NAMES[@]}"; do
         #/opt/cloudera/cm/common_jars/jackson-core-2.9.8.e41844989cf7a437a2fa521f7b3c8328.jar
         if [ $OLD_VERSION == "2.9.8" ];then
             # for 2.9.8
             OLD_VERSION_FILE_PATTERN="$CDH_COMMON_JARS_PATH/$PACKAGE-$OLD_VERSION.*[!.]"
         else
             #for 2.9.9 /2.9.9.3
             OLD_VERSION_FILE_PATTERN="$CDH_JARS_PATH/$PACKAGE-$OLD_VERSION.*[!.]"
         fi
         FLINK_OLD_VERSION_FILE="$CDH_FLINK_ROOT_LIB_PATH/$FLINK_LIB_PATH/$PACKAGE-$OLD_VERSION.jar"
         #get the specific file name
         OLD_VERSION_FILE=`printf "%s" $OLD_VERSION_FILE_PATTERN`
         if [ -f "$OLD_VERSION_FILE" ];then
             rm -vf $OLD_VERSION_FILE
         else
             echo "remove file failed: $OLD_VERSION_FILE not exists!"
         fi
         if [ -f "$FLINK_OLD_VERSION_FILE" ];then
             rm -vf $FLINK_OLD_VERSION_FILE
         else
             echo "remove file failed: $FLINK_OLD_VERSION_FILE not exists!"
         fi
    done   

    echo "Finished lean up the old version files from $CDH_COMMON_JARS_PATH"
}

#Unlink2NewVersion
Download
CreateLink2NewVersion
Unlink2OldVersion
RemoveOLDVersionFILE


  1. 修复效果复测,使用find命令
find / -name "jackson-databind*"|grep -v 2.9.10.3

总结

参考资料

  1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384
  2. https://blog.csdn.net/XuanAlex/article/details/104749788
  • 3
    点赞
  • 8
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值