When I launch ovirt 4.3.6, I see in the command line of the ovirt-engine:
-Djackson.deserialization.whitelist.packages=org,com,java,javax
That whitelist almost everything. Isn't that dangerous ?
There is no other easy way how to do that, because we are using huge number of classes, which can be serialized into JSON. This was breaking backward compatibility way how CVE for jackson was fixed, but oVirt is not affected by this CVE, because we use jackson directly only when storing data in database or for internal engine - VDSM communication. So unless you have an attacker being able to tamper data in your database or an attacker in internal network, who is able to masquerade as proper host and return problematic JSON back to engine, you are not affected.
When I read this: https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 I think the white list should be as small as possible.
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/GZODZPENEN2RU5LJDWXSEYKVRCFPIHOU/