Bug 1549276 (CVE-2018-7489) - CVE-2018-7489 jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries
Summary: CVE-2018-7489 jackson-databind: incomplete fix for CVE-2017-7525 permits unsa...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-7489
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1549279 1549393 1549394 1551886 1551887 1551888 1561825 1561826 1582507 1730588 1731780 1731787 1731789 1731790 1731792 1732286 1732291 1732539
Blocks: 1549282
TreeView+ depends on / blocked
 
Reported: 2018-02-26 21:21 UTC by Pedro Sampaio
Modified: 2021-12-10 15:43 UTC (History)
117 users (show)

Fixed In Version: jackson-databind 2.8.11.1, jackson-databind 2.9.5
Doc Type: If docs needed, set a value
Doc Text:
A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the c3p0 gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
Clone Of:
Environment:
Last Closed: 2019-06-08 03:41:22 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:1447 0 None None None 2018-05-14 20:17:16 UTC
Red Hat Product Errata RHSA-2018:1448 0 None None None 2018-05-14 20:35:55 UTC
Red Hat Product Errata RHSA-2018:1449 0 None None None 2018-05-14 20:40:06 UTC
Red Hat Product Errata RHSA-2018:1450 0 None None None 2018-05-14 20:44:31 UTC
Red Hat Product Errata RHSA-2018:1451 0 None None None 2018-05-14 20:52:05 UTC
Red Hat Product Errata RHSA-2018:1786 0 None None None 2018-06-04 11:16:31 UTC
Red Hat Product Errata RHSA-2018:2088 0 None None None 2018-06-27 14:35:41 UTC
Red Hat Product Errata RHSA-2018:2089 0 None None None 2018-06-27 15:04:58 UTC
Red Hat Product Errata RHSA-2018:2090 0 None None None 2018-06-27 15:03:09 UTC
Red Hat Product Errata RHSA-2018:2938 0 None None None 2018-10-17 13:04:18 UTC
Red Hat Product Errata RHSA-2018:2939 0 None None None 2018-10-17 19:29:53 UTC
Red Hat Product Errata RHSA-2019:3149 0 None None None 2019-10-18 19:52:34 UTC
Red Hat Product Errata RHSA-2020:2562 0 None None None 2020-06-15 16:14:07 UTC

Description Pedro Sampaio 2018-02-26 21:21:52 UTC 
FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

Upstream issue:

https://github.com/FasterXML/jackson-databind/issues/1931

Upstream patch:

https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2
Comment 1 Pedro Sampaio 2018-02-26 21:24:56 UTC 
Created jackson-databind tracking bugs for this issue:

Affects: fedora-all [bug 1549279]
Comment 6 Jason Shepherd 2018-03-27 23:53:07 UTC 
RHMAP does not using RESTEasy in a unsafe way. Marking as not affected.
Comment 7 Jason Shepherd 2018-03-28 22:46:11 UTC 
RHOAR VertX uses c3p0 and jackson-databind 2.9.3, so is affected by this flaw. Filing a tracking bug which will target the 3.5.1 release.
Comment 15 errata-xmlrpc 2018-05-14 20:16:46 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2018:1447 https://access.redhat.com/errata/RHSA-2018:1447
Comment 16 errata-xmlrpc 2018-05-14 20:35:31 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2018:1448 https://access.redhat.com/errata/RHSA-2018:1448
Comment 17 errata-xmlrpc 2018-05-14 20:39:35 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2018:1449 https://access.redhat.com/errata/RHSA-2018:1449
Comment 18 errata-xmlrpc 2018-05-14 20:43:59 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5

Via RHSA-2018:1450 https://access.redhat.com/errata/RHSA-2018:1450
Comment 19 errata-xmlrpc 2018-05-14 20:51:32 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2018:1451 https://access.redhat.com/errata/RHSA-2018:1451
Comment 21 Martin Prpič 2018-05-16 07:35:22 UTC 
External References:

https://access.redhat.com/solutions/3442891
Comment 22 errata-xmlrpc 2018-06-04 11:16:01 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2018:1786 https://access.redhat.com/errata/RHSA-2018:1786
Comment 24 errata-xmlrpc 2018-06-27 14:35:11 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2018:2088 https://access.redhat.com/errata/RHSA-2018:2088
Comment 25 errata-xmlrpc 2018-06-27 15:02:32 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2018:2090 https://access.redhat.com/errata/RHSA-2018:2090
Comment 26 errata-xmlrpc 2018-06-27 15:04:30 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7

Via RHSA-2018:2089 https://access.redhat.com/errata/RHSA-2018:2089
Comment 27 errata-xmlrpc 2018-10-17 13:03:49 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes (text-only advisories)

Via RHSA-2018:2938 https://access.redhat.com/errata/RHSA-2018:2938
Comment 28 errata-xmlrpc 2018-10-17 19:29:12 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse Intergration Services 2.0 based on Fuse 6.3 R8

Via RHSA-2018:2939 https://access.redhat.com/errata/RHSA-2018:2939
Comment 46 Cedric Buissart 2018-12-11 11:32:04 UTC 
Statement:

Subscription Asset Manager is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates.

Satellite 6.2 does not support c3p0 classes. Since the latter are required for this flaw, therefore Satellite 6.2 is not affected.  Satellite 6.3 and 6.4 are not affected because Candlepin does not use polymorphic deserialization.
Comment 57 errata-xmlrpc 2019-09-27 00:13:47 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.1

Via RHSA-2019:2858 https://access.redhat.com/errata/RHSA-2019:2858
Comment 58 errata-xmlrpc 2019-10-18 19:52:30 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2019:3149 https://access.redhat.com/errata/RHSA-2019:3149
Comment 59 Jonathan Christison 2020-02-28 14:06:08 UTC 
Mitigation:

Advice on how to remain safe while using JAX-RS webservices on JBoss EAP 7.x is available here:

https://access.redhat.com/solutions/3279231
https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization

General Mitigation: 
Try to avoid  
* Deserialization from sources you do not control
* `enableDefaultTyping()`
* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`
Comment 60 errata-xmlrpc 2020-06-15 16:14:01 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:2562 https://access.redhat.com/errata/RHSA-2020:2562
Note You need to log in before you can comment on or make changes to this bug.