CDH6.3.1集群修复Jackson

CDH6.3.1集群修复Jackson

系统环境

CentOS 7.7.1908
CDH 6.3.1
Jackson-databind 2.9.8/2.9.9/2.9.9.3

漏洞描述

【CVE】
CVE-2019-12384
【漏洞描述】
由于Jackson黑名单过滤不完整而导致，当开发人员在应用程序中通过ObjectMapper对象调用enableDefaultTyping方法时，程序就会受到此漏洞的影响，攻击者就可利用构造的包含有恶意代码的json数据包对应用进行攻击，直接获取服务器控制权限。
【受影响版本】
Jackson-databind < 2.6.7.3 ，2.7.0 - 2.7.9.5 ， 2.8.0 - 2.8.11.3 ， 2.9.0 - 2.9.9.3
【升级建议】
1.该漏洞，漏洞修复后需要服务重启，建议业务不繁忙时修复。
下载更新：
2.请参考Maven中的升级方法升级到 2.6.7.3、2.7.9.6、2.8.11.4、2.9.10及以上最新版本修复该漏洞。

修复过程

1. 使用find命令查找系统Jackson-databind包
   find / -name “jackson-databind*”
2. 编写修复脚本，由于jackson-databind关联的包比较多，为防止依赖风险，需要将其他jackson包都升级至2.9.10，jackson-databind升级至2.9.10.3, 具体脚本如下所示：

#!/bin/bash
########################################
#    upgrade jackson-databind version  #
#    write by BertramLAU               #
#    v1.0                              #
#########################################define package versions
OLD_VERSION="2.9.8"
NEW_MAIN_VERSION="2.9.10"
NEW_MINUS_VERSION="2.9.10.3"
MAIN_PACKAGE="jackson"CDH_COMMON_JARS_PATH="/opt/cloudera/cm/common_jars"
CLOUDERA_NAVIGATOR_SERVER_CDH5_JARS_PATH="/opt/cloudera/cm/cloudera-navigator-server/libs/cdh5"
CLOUDERA_NAVIGATOR_SERVER_CDH6_JARS_PATH="/opt/cloudera/cm/cloudera-navigator-server/libs/cdh6"
CLOUDERA_NAVIGATOR_SERVER_JARS_PATH="/opt/cloudera/cm/cloudera-navigator-server/jars"
CLOUDERA_SCM_TELEPUB_JARS_PATH="/opt/cloudera/cm/cloudera-scm-telepub/jars"
CLOUDERA_NAVIGATOR_AUDIT_SERVER_JARS_PATH="/opt/cloudera/cm/cloudera-navigator-audit-server"
CDH_LIB_PATH="/opt/cloudera/cm/lib"
CDH_JARS_PATH="/opt/cloudera/parcels/CDH-6.3.1-1.cdh6.3.1.p0.1470567/jars"CDH_ROOT_LIB_PATH="/opt/cloudera/parcels/CDH-6.3.1-1.cdh6.3.1.p0.1470567/lib"
CDH_FLINK_ROOT_LIB_PATH="/opt/cloudera/parcels/FLINK-1.9.0-csa1.0.0.0-cdh6.3.0/lib"
FLINK_LIB_PATH="flink/lib"HBASE_SOLR_PATH="hbase-solr/lib"
KITE_LIB_PATH="kite/lib"
SENTRY_LIB_PATH="sentry/lib"
OOZIE_LIBTOOLS_PATH="oozie/libtools"
OOZIE_EMBEDDED_OOZIE_SERVER_PATH="oozie/embedded-oozie-server/webapp/WEB-INF/lib"
OOZIE_SHARELIB_YARN_HIVE_PATH="oozie/oozie-sharelib-yarn/lib/hive"
OOZIE_SHARELIB_YARN_SPARK_PATH="oozie/oozie-sharelib-yarn/lib/spark"
OOZIE_SHARELIB_YARN_SQOOP_PATH="oozie/oozie-sharelib-yarn/lib/sqoop"
OOZIE_SHARELIB_YARN_PIG_PATH="oozie/oozie-sharelib-yarn/lib/pig"
OOZIE_SHARELIB_YARN_HIVE2_PATH="oozie/oozie-sharelib-yarn/lib/hive2"
OOZIE_SHARELIB_YARN_HCATALOG_PATH="oozie/oozie-sharelib-yarn/lib/hcatalog"
OOZIE_SHARELIB_YARN_GIT_PATH="oozie/oozie-sharelib-yarn/lib/git"OOZIE_LIB_PATH="oozie/lib"
SEARCH_LIB_SEARCH_CRUNCH_PATH="search/lib/search-crunch"
SEARCH_LIB_PATH="search/lib"HIVE_LIB_PATH="hive/lib"
SOLR_SERVER_LIB_EXT_PATH="solr/server/lib/ext"
SOLR_SERVER_WEBAPP_PATH="solr/server/solr-webapp/webapp/WEB-INF/lib"
FLUME_NG_LIB_PATH="flume-ng/lib"
KAFKA_LIBS_PATH="kafka/libs"
SPARK_JARS_PATH="spark/jars"
SQOOP_LIB_PATH="sqoop/lib"
PIG_LIB_PATH="pig/lib"
PIG_LIB_SPARK_PATH="pig/lib/spark"
IMPALA_LIB_PATH="impala/lib"
HBASE_LIB_PATH="hbase/lib"
HADOOP_YARN_LIB_PATH="hadoop-yarn/lib"
HADOOP_HDFS_LIB_PATH="hadoop-hdfs/lib"
HADOOP_CLIENT_PATH="hadoop/client"
HADOOP_LIB_PATH="hadoop/lib"
PARQUET_LIB_PATH="parquet/lib"#define the old version paths 
#for 2.9.8
TARGET_PATHS=($CLOUDERA_NAVIGATOR_SERVER_CDH5_JARS_PATH$CLOUDERA_NAVIGATOR_SERVER_CDH6_JARS_PATH$CLOUDERA_NAVIGATOR_SERVER_JARS_PATH$CLOUDERA_SCM_TELEPUB_JARS_PATH$CLOUDERA_NAVIGATOR_AUDIT_SERVER_JARS_PATH$CDH_LIB_PATH
)#for 2.9.9
NEW_TARGET_PATHS=("$CDH_ROOT_LIB_PATH/$HBASE_SOLR_PATH""$CDH_ROOT_LIB_PATH/$KITE_LIB_PATH""$CDH_ROOT_LIB_PATH/$SENTRY_LIB_PATH""$CDH_ROOT_LIB_PATH/$HADOOP_YARN_LIB_PATH""$CDH_ROOT_LIB_PATH/$HADOOP_HDFS_LIB_PATH""$CDH_ROOT_LIB_PATH/$HADOOP_LIB_PATH""$CDH_ROOT_LIB_PATH/$HADOOP_CLIENT_PATH""$CDH_ROOT_LIB_PATH/$PARQUET_LIB_PATH""$CDH_ROOT_LIB_PATH/$OOZIE_LIBTOOLS_PATH" "$CDH_ROOT_LIB_PATH/$OOZIE_EMBEDDED_OOZIE_SERVER_PATH""$CDH_ROOT_LIB_PATH/$OOZIE_SHARELIB_YARN_HIVE_PATH""$CDH_ROOT_LIB_PATH/$OOZIE_SHARELIB_YARN_SPARK_PATH""$CDH_ROOT_LIB_PATH/$OOZIE_SHARELIB_YARN_SQOOP_PATH""$CDH_ROOT_LIB_PATH/$OOZIE_SHARELIB_YARN_PIG_PATH""$CDH_ROOT_LIB_PATH/$OOZIE_SHARELIB_YARN_HIVE2_PATH""$CDH_ROOT_LIB_PATH/$OOZIE_SHARELIB_YARN_HCATALOG_PATH""$CDH_ROOT_LIB_PATH/$OOZIE_SHARELIB_YARN_GIT_PATH""$CDH_ROOT_LIB_PATH/$OOZIE_LIB_PATH""$CDH_ROOT_LIB_PATH/$SEARCH_LIB_SEARCH_CRUNCH_PATH""$CDH_ROOT_LIB_PATH/$SEARCH_LIB_PATH""$CDH_ROOT_LIB_PATH/$HIVE_LIB_PATH""$CDH_ROOT_LIB_PATH/$IMPALA_LIB_PATH""$CDH_ROOT_LIB_PATH/$SOLR_SERVER_LIB_EXT_PATH""$CDH_ROOT_LIB_PATH/$SOLR_SERVER_WEBAPP_PATH""$CDH_ROOT_LIB_PATH/$FLUME_NG_LIB_PATH""$CDH_ROOT_LIB_PATH/$KAFKA_LIBS_PATH""$CDH_ROOT_LIB_PATH/$SPARK_JARS_PATH""$CDH_ROOT_LIB_PATH/$PIG_LIB_PATH""$CDH_ROOT_LIB_PATH/$PIG_LIB_SPARK_PATH""$CDH_ROOT_LIB_PATH/$SQOOP_LIB_PATH""$CDH_ROOT_LIB_PATH/$HBASE_LIB_PATH""$CDH_FLINK_ROOT_LIB_PATH/$FLINK_LIB_PATH"
)declare -A PACKAGE_SUBPATH_DICT
declare -A PACKAGE_VERSION_DICT
PACKAGE_SUBPATH_DICT=([jackson-dataformat-csv]="dataformat" [jackson-dataformat-xml]="dataformat" [jackson-dataformat-yaml]="dataformat" [jackson-module-jsonSchema]="module" [jackson-dataformat-cbor]="dataformat" [jackson-dataformat-smile]="dataformat" [jackson-datatype-joda]="datatype" [jackson-datatype-jdk8]="datatype" [jackson-jaxrs-base]="jaxrs" [jackson-annotations]="core" [jackson-jaxrs-json-provider]="jaxrs" [jackson-core]="core" [jackson-module-jaxb-annotations]="module" [jackson-module-mrbean]="module" [jackson-module-paranamer]="module" [jackson-module-scala_2.11]="module" [jackson-databind]="core")PACKAGE_VERSION_DICT=([jackson-dataformat-csv]=$NEW_MAIN_VERSION [jackson-dataformat-xml]=$NEW_MAIN_VERSION [jackson-dataformat-smile]=$NEW_MAIN_VERSION [jackson-dataformat-yaml]=$NEW_MAIN_VERSION [jackson-module-paranamer]=$NEW_MAIN_VERSION [jackson-module-scala_2.11]=$NEW_MAIN_VERSION [jackson-datatype-jdk8]=$NEW_MAIN_VERSION [jackson-datatype-joda]=$NEW_MAIN_VERSION [jackson-jaxrs-base]=$NEW_MAIN_VERSION [jackson-module-jsonSchema]=$NEW_MAIN_VERSION [jackson-dataformat-cbor]=$NEW_MAIN_VERSION [jackson-annotations]=$NEW_MAIN_VERSION [jackson-jaxrs-json-provider]=$NEW_MAIN_VERSION [jackson-core]=$NEW_MAIN_VERSION [jackson-module-jaxb-annotations]=$NEW_MAIN_VERSION [jackson-module-mrbean]=$NEW_MAIN_VERSION [jackson-databind]=$NEW_MINUS_VERSION)PACKAGE_NAMES=(jackson-dataformat-csvjackson-dataformat-cborjackson-dataformat-yamljackson-dataformat-xmljackson-dataformat-smilejackson-datatype-jodajackson-datatype-jdk8jackson-module-jsonSchemajackson-jaxrs-basejackson-jaxrs-json-providerjackson-annotationsjackson-corejackson-module-jaxb-annotationsjackson-module-mrbeanjackson-module-paranamerjackson-module-scala_2.11jackson-databind
)#1. download jackson jars from maven source
Download(){echo "Begin download packages from maven repo"for PACKAGE in "${PACKAGE_NAMES[@]}"; doSUBPATH=${PACKAGE_SUBPATH_DICT[$PACKAGE]}PACKAGE_VERSION=${PACKAGE_VERSION_DICT[$PACKAGE]}DOWNLOAD_URL="/$MAIN_PACKAGE/$SUBPATH/$PACKAGE/$PACKAGE_VERSION/$PACKAGE-$PACKAGE_VERSION.jar"#for 2.9.8#FILE_FULLPATH="$CDH_COMMON_JARS_PATH/$PACKAGE-$PACKAGE_VERSION.jar"#for 2.9.9FILE_FULLPATH="$CDH_JARS_PATH/$PACKAGE-$PACKAGE_VERSION.jar"if [ -f "$FILE_FULLPATH" ]; thenecho "$FILE_FULLPATH exists, no need download"else echo "begin donwload $PACKAGE from URL: $DOWNLOAD_URL"wget $DOWNLOAD_URL -O $FILE_FULLPATHchmod 755 $FILE_FULLPATHfidoneecho "Finished download packages from maven repo"
}
#2. create links to new version jars
CreateLink2NewVersion(){#echo "Begin create the new links to CDH_COMMON_JARS_PATH"echo "Begin create the new links to CDH_JARS_PATH"for PACKAGE in "${PACKAGE_NAMES[@]}"; do#for 2.9.8#for TGT_PATH in "${TARGET_PATHS[@]}"; dofor TGT_PATH in "${NEW_TARGET_PATHS[@]}"; doPACKAGE_VERSION=${PACKAGE_VERSION_DICT[$PACKAGE]}NEW_LINK_FILE="$TGT_PATH/$PACKAGE-$PACKAGE_VERSION.jar"NEW_SRC_FILE="$CDH_JARS_PATH/$PACKAGE-$PACKAGE_VERSION.jar"if [ -h "$NEW_LINK_FILE" ]; thenecho "link file:$NEW_LINK_FILE has created!"elseecho "create soft link from $NEW_LINK_FILE to $NEW_SRC_FILE"if [ -f "$NEW_SRC_FILE" ];thenln -s $NEW_SRC_FILE $NEW_LINK_FILEelseecho "src file:$NEW_SRC_FILE not exist! cannot create soft link"fiif [ -h "$NEW_LINK_FILE" ]; thenecho "create soft link successed!"elseecho "create soft link failed!"fifi done      doneecho "Finished create the new links to CDH_COMMON_JARS_PATH"
}#3. remove links to old version jars
Unlink2OldVersion(){echo "Begin remove the old version links"for PACKAGE in "${PACKAGE_NAMES[@]}"; dodeclare -a TARGET_DIRSTARGET_DIRS=("${NEW_TARGET_PATHS[@]}")if [ $OLD_VERSION == "2.9.8" ];thenTARGET_DIRS=(${TARGET_PATHS[@]})fifor TGT_PATH in "${TARGET_DIRS[@]}"; doOLD_LINK_FILE="$TGT_PATH/$PACKAGE-$OLD_VERSION.jar"if [ -h "$OLD_LINK_FILE" ]; thenunlink "$OLD_LINK_FILE"elseecho "unlink failed!link file:$OLD_LINK_FILE not exists!"fidone doneecho "Finished remove the old version links"
}Unlink2NewVersion(){echo "Begin remove the new version links"for PACKAGE in "${SHIRO_PACKAGE_NAMES[@]}"; doNEW_LINK_FILE="$IMPALA_JARS_PATH/$PACKAGE-$NEW_VERSION.jar"if [ -h "$NEW_LINK_FILE" ]; thenunlink "$IMPALA_JARS_PATH/$PACKAGE-$NEW_VERSION.jar"elseecho "unlink failed!link file:$NEW_LINK_FILE not exists!"fidoneecho "Finished remove the new version links"
}#4. delete the old version files
RemoveOLDVersionFILE(){echo "Begin clean up the old version files from $CDH_COMMON_JARS_PATH"for PACKAGE in "${PACKAGE_NAMES[@]}"; do#/opt/cloudera/cm/common_jars/jackson-core-2.9.8.e41844989cf7a437a2fa521f7b3c8328.jarif [ $OLD_VERSION == "2.9.8" ];then# for 2.9.8OLD_VERSION_FILE_PATTERN="$CDH_COMMON_JARS_PATH/$PACKAGE-$OLD_VERSION.*[!.]"else#for 2.9.9 /2.9.9.3OLD_VERSION_FILE_PATTERN="$CDH_JARS_PATH/$PACKAGE-$OLD_VERSION.*[!.]"fiFLINK_OLD_VERSION_FILE="$CDH_FLINK_ROOT_LIB_PATH/$FLINK_LIB_PATH/$PACKAGE-$OLD_VERSION.jar"#get the specific file nameOLD_VERSION_FILE=`printf "%s" $OLD_VERSION_FILE_PATTERN`if [ -f "$OLD_VERSION_FILE" ];thenrm -vf $OLD_VERSION_FILEelseecho "remove file failed: $OLD_VERSION_FILE not exists!"fiif [ -f "$FLINK_OLD_VERSION_FILE" ];thenrm -vf $FLINK_OLD_VERSION_FILEelseecho "remove file failed: $FLINK_OLD_VERSION_FILE not exists!"fidone   echo "Finished lean up the old version files from $CDH_COMMON_JARS_PATH"
}#Unlink2NewVersion
Download
CreateLink2NewVersion
Unlink2OldVersion
RemoveOLDVersionFILE

4. 修复效果复测，使用find命令

find / -name "jackson-databind*"|grep -v 2.9.10.3

总结

参考资料

1. .cgi?name=CVE-2019-12384