系统环境
CentOS 7.7.1908
CDH 6.3.1
Jackson-databind 2.9.8/2.9.9/2.9.9.3
漏洞描述
【CVE】
CVE-2019-12384
【漏洞描述】
由于Jackson黑名单过滤不完整而导致,当开发人员在应用程序中通过ObjectMapper对象调用enableDefaultTyping方法时,程序就会受到此漏洞的影响,攻击者就可利用构造的包含有恶意代码的json数据包对应用进行攻击,直接获取服务器控制权限。
【受影响版本】
Jackson-databind < 2.6.7.3 ,2.7.0 - 2.7.9.5 , 2.8.0 - 2.8.11.3 , 2.9.0 - 2.9.9.3
【升级建议】
1.该漏洞,漏洞修复后需要服务重启,建议业务不繁忙时修复。
下载更新:https://github.com/FasterXML/jackson-databind/releases
2.请参考Maven中的升级方法升级到 2.6.7.3、2.7.9.6、2.8.11.4、2.9.10及以上最新版本修复该漏洞。
修复过程
- 使用find命令查找系统Jackson-databind包
find / -name “jackson-databind*” - 编写修复脚本,由于jackson-databind关联的包比较多,为防止依赖风险,需要将其他jackson包都升级至2.9.10,jackson-databind升级至2.9.10.3, 具体脚本如下所示:
#!/bin/bash
########################################
# upgrade jackson-databind version #
# write by BertramLAU #
# v1.0 #
########################################
#define package versions
OLD_VERSION="2.9.8"
NEW_MAIN_VERSION="2.9.10"
NEW_MINUS_VERSION="2.9.10.3"
MAIN_PACKAGE="jackson"
CDH_COMMON_JARS_PATH="/opt/cloudera/cm/common_jars"
CLOUDERA_NAVIGATOR_SERVER_CDH5_JARS_PATH="/opt/cloudera/cm/cloudera-navigator-server/libs/cdh5"
CLOUDERA_NAVIGATOR_SERVER_CDH6_JARS_PATH="/opt/cloudera/cm/cloudera-navigator-server/libs/cdh6"
CLOUDERA_NAVIGATOR_SERVER_JARS_PATH="/opt/cloudera/cm/cloudera-navigator-server/jars"
CLOUDERA_SCM_TELEPUB_JARS_PATH="/opt/cloudera/cm/cloudera-scm-telepub/jars"
CLOUDERA_NAVIGATOR_AUDIT_SERVER_JARS_PATH="/opt/cloudera/cm/cloudera-navigator-audit-server"
CDH_LIB_PATH="/opt/cloudera/cm/lib"
CDH_JARS_PATH="/opt/cloudera/parcels/CDH-6.3.1-1.cdh6.3.1.p0.1470567/jars"
CDH_ROOT_LIB_PATH="/opt/cloudera/parcels/CDH-6.3.1-1.cdh6.3.1.p0.1470567/lib"
CDH_FLINK_ROOT_LIB_PATH="/opt/cloudera/parcels/FLINK-1.9.0-csa1.0.0.0-cdh6.3.0/lib"
FLINK_LIB_PATH="flink/lib"
HBASE_SOLR_PATH="hbase-solr/lib"
KITE_LIB_PATH="kite/lib"
SENTRY_LIB_PATH="sentry/lib"
OOZIE_LIBTOOLS_PATH="oozie/libtools"
OOZIE_EMBEDDED_OOZIE_SERVER_PATH="oozie/embedded-oozie-server/webapp/WEB-INF/lib"
OOZIE_SHARELIB_YARN_HIVE_PATH="oozie/oozie-sharelib-yarn/lib/hive"
OOZIE_SHARELIB_YARN_SPARK_PATH="oozie/oozie-sharelib-yarn/lib/spark"
OOZIE_SHARELIB_YARN_SQOOP_PATH="oozie/oozie-sharelib-yarn/lib/sqoop"
OOZIE_SHARELIB_YARN_PIG_PATH="oozie/oozie-sharelib-yarn/lib/pig"
OOZIE_SHARELIB_YARN_HIVE2_PATH="oozie/oozie-sharelib-yarn/lib/hive2"
OOZIE_SHARELIB_YARN_HCATALOG_PATH="oozie/oozie-sharelib-yarn/lib/hcatalog"
OOZIE_SHARELIB_YARN_GIT_PATH="oozie/oozie-sharelib-yarn/lib/git"
OOZIE_LIB_PATH="oozie/lib"
SEARCH_LIB_SEARCH_CRUNCH_PATH="search/lib/search-crunch"
SEARCH_LIB_PATH="search/lib"
HIVE_LIB_PATH="hive/lib"
SOLR_SERVER_LIB_EXT_PATH="solr/server/lib/ext"
SOLR_SERVER_WEBAPP_PATH="solr/server/solr-webapp/webapp/WEB-INF/lib"
FLUME_NG_LIB_PATH="flume-ng/lib"
KAFKA_LIBS_PATH="kafka/libs"
SPARK_JARS_PATH="spark/jars"
SQOOP_LIB_PATH="sqoop/lib"
PIG_LIB_PATH="pig/lib"
PIG_LIB_SPARK_PATH="pig/lib/spark"
IMPALA_LIB_PATH="impala/lib"
HBASE_LIB_PATH="hbase/lib"
HADOOP_YARN_LIB_PATH="hadoop-yarn/lib"
HADOOP_HDFS_LIB_PATH="hadoop-hdfs/lib"
HADOOP_CLIENT_PATH="hadoop/client"
HADOOP_LIB_PATH="hadoop/lib"
PARQUET_LIB_PATH="parquet/lib"
#define the old version paths
#for 2.9.8
TARGET_PATHS=(
$CLOUDERA_NAVIGATOR_SERVER_CDH5_JARS_PATH
$CLOUDERA_NAVIGATOR_SERVER_CDH6_JARS_PATH
$CLOUDERA_NAVIGATOR_SERVER_JARS_PATH
$CLOUDERA_SCM_TELEPUB_JARS_PATH
$CLOUDERA_NAVIGATOR_AUDIT_SERVER_JARS_PATH
$CDH_LIB_PATH
)
#for 2.9.9
NEW_TARGET_PATHS=(
"$CDH_ROOT_LIB_PATH/$HBASE_SOLR_PATH"
"$CDH_ROOT_LIB_PATH/$KITE_LIB_PATH"
"$CDH_ROOT_LIB_PATH/$SENTRY_LIB_PATH"
"$CDH_ROOT_LIB_PATH/$HADOOP_YARN_LIB_PATH"
"$CDH_ROOT_LIB_PATH/$HADOOP_HDFS_LIB_PATH"
"$CDH_ROOT_LIB_PATH/$HADOOP_LIB_PATH"
"$CDH_ROOT_LIB_PATH/$HADOOP_CLIENT_PATH"
"$CDH_ROOT_LIB_PATH/$PARQUET_LIB_PATH"
"$CDH_ROOT_LIB_PATH/$OOZIE_LIBTOOLS_PATH"
"$CDH_ROOT_LIB_PATH/$OOZIE_EMBEDDED_OOZIE_SERVER_PATH"
"$CDH_ROOT_LIB_PATH/$OOZIE_SHARELIB_YARN_HIVE_PATH"
"$CDH_ROOT_LIB_PATH/$OOZIE_SHARELIB_YARN_SPARK_PATH"
"$CDH_ROOT_LIB_PATH/$OOZIE_SHARELIB_YARN_SQOOP_PATH"
"$CDH_ROOT_LIB_PATH/$OOZIE_SHARELIB_YARN_PIG_PATH"
"$CDH_ROOT_LIB_PATH/$OOZIE_SHARELIB_YARN_HIVE2_PATH"
"$CDH_ROOT_LIB_PATH/$OOZIE_SHARELIB_YARN_HCATALOG_PATH"
"$CDH_ROOT_LIB_PATH/$OOZIE_SHARELIB_YARN_GIT_PATH"
"$CDH_ROOT_LIB_PATH/$OOZIE_LIB_PATH"
"$CDH_ROOT_LIB_PATH/$SEARCH_LIB_SEARCH_CRUNCH_PATH"
"$CDH_ROOT_LIB_PATH/$SEARCH_LIB_PATH"
"$CDH_ROOT_LIB_PATH/$HIVE_LIB_PATH"
"$CDH_ROOT_LIB_PATH/$IMPALA_LIB_PATH"
"$CDH_ROOT_LIB_PATH/$SOLR_SERVER_LIB_EXT_PATH"
"$CDH_ROOT_LIB_PATH/$SOLR_SERVER_WEBAPP_PATH"
"$CDH_ROOT_LIB_PATH/$FLUME_NG_LIB_PATH"
"$CDH_ROOT_LIB_PATH/$KAFKA_LIBS_PATH"
"$CDH_ROOT_LIB_PATH/$SPARK_JARS_PATH"
"$CDH_ROOT_LIB_PATH/$PIG_LIB_PATH"
"$CDH_ROOT_LIB_PATH/$PIG_LIB_SPARK_PATH"
"$CDH_ROOT_LIB_PATH/$SQOOP_LIB_PATH"
"$CDH_ROOT_LIB_PATH/$HBASE_LIB_PATH"
"$CDH_FLINK_ROOT_LIB_PATH/$FLINK_LIB_PATH"
)
declare -A PACKAGE_SUBPATH_DICT
declare -A PACKAGE_VERSION_DICT
PACKAGE_SUBPATH_DICT=([jackson-dataformat-csv]="dataformat" [jackson-dataformat-xml]="dataformat" [jackson-dataformat-yaml]="dataformat" [jackson-module-jsonSchema]="module" [jackson-dataformat-cbor]="dataformat" [jackson-dataformat-smile]="dataformat" [jackson-datatype-joda]="datatype" [jackson-datatype-jdk8]="datatype" [jackson-jaxrs-base]="jaxrs" [jackson-annotations]="core" [jackson-jaxrs-json-provider]="jaxrs" [jackson-core]="core" [jackson-module-jaxb-annotations]="module" [jackson-module-mrbean]="module" [jackson-module-paranamer]="module" [jackson-module-scala_2.11]="module" [jackson-databind]="core")
PACKAGE_VERSION_DICT=([jackson-dataformat-csv]=$NEW_MAIN_VERSION [jackson-dataformat-xml]=$NEW_MAIN_VERSION [jackson-dataformat-smile]=$NEW_MAIN_VERSION [jackson-dataformat-yaml]=$NEW_MAIN_VERSION [jackson-module-paranamer]=$NEW_MAIN_VERSION [jackson-module-scala_2.11]=$NEW_MAIN_VERSION [jackson-datatype-jdk8]=$NEW_MAIN_VERSION [jackson-datatype-joda]=$NEW_MAIN_VERSION [jackson-jaxrs-base]=$NEW_MAIN_VERSION [jackson-module-jsonSchema]=$NEW_MAIN_VERSION [jackson-dataformat-cbor]=$NEW_MAIN_VERSION [jackson-annotations]=$NEW_MAIN_VERSION [jackson-jaxrs-json-provider]=$NEW_MAIN_VERSION [jackson-core]=$NEW_MAIN_VERSION [jackson-module-jaxb-annotations]=$NEW_MAIN_VERSION [jackson-module-mrbean]=$NEW_MAIN_VERSION [jackson-databind]=$NEW_MINUS_VERSION)
PACKAGE_NAMES=(
jackson-dataformat-csv
jackson-dataformat-cbor
jackson-dataformat-yaml
jackson-dataformat-xml
jackson-dataformat-smile
jackson-datatype-joda
jackson-datatype-jdk8
jackson-module-jsonSchema
jackson-jaxrs-base
jackson-jaxrs-json-provider
jackson-annotations
jackson-core
jackson-module-jaxb-annotations
jackson-module-mrbean
jackson-module-paranamer
jackson-module-scala_2.11
jackson-databind
)
#1. download jackson jars from maven source
Download(){
echo "Begin download packages from maven repo"
for PACKAGE in "${PACKAGE_NAMES[@]}"; do
SUBPATH=${PACKAGE_SUBPATH_DICT[$PACKAGE]}
PACKAGE_VERSION=${PACKAGE_VERSION_DICT[$PACKAGE]}
DOWNLOAD_URL="https://repo1.maven.org/maven2/com/fasterxml/$MAIN_PACKAGE/$SUBPATH/$PACKAGE/$PACKAGE_VERSION/$PACKAGE-$PACKAGE_VERSION.jar"
#for 2.9.8
#FILE_FULLPATH="$CDH_COMMON_JARS_PATH/$PACKAGE-$PACKAGE_VERSION.jar"
#for 2.9.9
FILE_FULLPATH="$CDH_JARS_PATH/$PACKAGE-$PACKAGE_VERSION.jar"
if [ -f "$FILE_FULLPATH" ]; then
echo "$FILE_FULLPATH exists, no need download"
else
echo "begin donwload $PACKAGE from URL: $DOWNLOAD_URL"
wget $DOWNLOAD_URL -O $FILE_FULLPATH
chmod 755 $FILE_FULLPATH
fi
done
echo "Finished download packages from maven repo"
}
#2. create links to new version jars
CreateLink2NewVersion(){
#echo "Begin create the new links to CDH_COMMON_JARS_PATH"
echo "Begin create the new links to CDH_JARS_PATH"
for PACKAGE in "${PACKAGE_NAMES[@]}"; do
#for 2.9.8
#for TGT_PATH in "${TARGET_PATHS[@]}"; do
for TGT_PATH in "${NEW_TARGET_PATHS[@]}"; do
PACKAGE_VERSION=${PACKAGE_VERSION_DICT[$PACKAGE]}
NEW_LINK_FILE="$TGT_PATH/$PACKAGE-$PACKAGE_VERSION.jar"
NEW_SRC_FILE="$CDH_JARS_PATH/$PACKAGE-$PACKAGE_VERSION.jar"
if [ -h "$NEW_LINK_FILE" ]; then
echo "link file:$NEW_LINK_FILE has created!"
else
echo "create soft link from $NEW_LINK_FILE to $NEW_SRC_FILE"
if [ -f "$NEW_SRC_FILE" ];then
ln -s $NEW_SRC_FILE $NEW_LINK_FILE
else
echo "src file:$NEW_SRC_FILE not exist! cannot create soft link"
fi
if [ -h "$NEW_LINK_FILE" ]; then
echo "create soft link successed!"
else
echo "create soft link failed!"
fi
fi
done
done
echo "Finished create the new links to CDH_COMMON_JARS_PATH"
}
#3. remove links to old version jars
Unlink2OldVersion(){
echo "Begin remove the old version links"
for PACKAGE in "${PACKAGE_NAMES[@]}"; do
declare -a TARGET_DIRS
TARGET_DIRS=("${NEW_TARGET_PATHS[@]}")
if [ $OLD_VERSION == "2.9.8" ];then
TARGET_DIRS=(${TARGET_PATHS[@]})
fi
for TGT_PATH in "${TARGET_DIRS[@]}"; do
OLD_LINK_FILE="$TGT_PATH/$PACKAGE-$OLD_VERSION.jar"
if [ -h "$OLD_LINK_FILE" ]; then
unlink "$OLD_LINK_FILE"
else
echo "unlink failed!link file:$OLD_LINK_FILE not exists!"
fi
done
done
echo "Finished remove the old version links"
}
Unlink2NewVersion(){
echo "Begin remove the new version links"
for PACKAGE in "${SHIRO_PACKAGE_NAMES[@]}"; do
NEW_LINK_FILE="$IMPALA_JARS_PATH/$PACKAGE-$NEW_VERSION.jar"
if [ -h "$NEW_LINK_FILE" ]; then
unlink "$IMPALA_JARS_PATH/$PACKAGE-$NEW_VERSION.jar"
else
echo "unlink failed!link file:$NEW_LINK_FILE not exists!"
fi
done
echo "Finished remove the new version links"
}
#4. delete the old version files
RemoveOLDVersionFILE(){
echo "Begin clean up the old version files from $CDH_COMMON_JARS_PATH"
for PACKAGE in "${PACKAGE_NAMES[@]}"; do
#/opt/cloudera/cm/common_jars/jackson-core-2.9.8.e41844989cf7a437a2fa521f7b3c8328.jar
if [ $OLD_VERSION == "2.9.8" ];then
# for 2.9.8
OLD_VERSION_FILE_PATTERN="$CDH_COMMON_JARS_PATH/$PACKAGE-$OLD_VERSION.*[!.]"
else
#for 2.9.9 /2.9.9.3
OLD_VERSION_FILE_PATTERN="$CDH_JARS_PATH/$PACKAGE-$OLD_VERSION.*[!.]"
fi
FLINK_OLD_VERSION_FILE="$CDH_FLINK_ROOT_LIB_PATH/$FLINK_LIB_PATH/$PACKAGE-$OLD_VERSION.jar"
#get the specific file name
OLD_VERSION_FILE=`printf "%s" $OLD_VERSION_FILE_PATTERN`
if [ -f "$OLD_VERSION_FILE" ];then
rm -vf $OLD_VERSION_FILE
else
echo "remove file failed: $OLD_VERSION_FILE not exists!"
fi
if [ -f "$FLINK_OLD_VERSION_FILE" ];then
rm -vf $FLINK_OLD_VERSION_FILE
else
echo "remove file failed: $FLINK_OLD_VERSION_FILE not exists!"
fi
done
echo "Finished lean up the old version files from $CDH_COMMON_JARS_PATH"
}
#Unlink2NewVersion
Download
CreateLink2NewVersion
Unlink2OldVersion
RemoveOLDVersionFILE
- 修复效果复测,使用find命令
find / -name "jackson-databind*"|grep -v 2.9.10.3