A flaw was found in FasterXML Jackson Databind which did not have entity expansion secured properly making it vulnerable to XML external entity (XXE). This vulnerability is similar to CVE-2019-10172. The primary threat from this flaw is data integrity.
External References: https://github.com/FasterXML/jackson-databind/issues/2589
Created jackson-databind tracking bugs for this issue: Affects: fedora-all [bug 1887779]
Marking Red Hat Jboss Fuse 6 and Red Hat Fuse 7 as having a moderate impact, both versions distribute affected versions of jackson-databind, however its use in both Fuse 6 and Fuse 7 is not susceptible to the vulnerability as there is nothing that deserializes XML from JSON in such a way that the underlying DOMDeserializer is implicitly used. This vulnerability is out of security support scope for the following products: * Red Hat JBoss Fuse 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Marking Red Hat Camel K as having a moderate impact, although Camel K distributes affected versions of jackson-databind its use is not susceptible to the vulnerability as there is nothing that deserializes XML from JSON in such a way that the underlying DOMDeserializer is implicitly used.
Marking Red Hat Jboss AMQ 6 as having a moderate impact, although AMQ 6 distribute affected versions of jackson-databind, its use in both AMQ 6 and as earlier noted, Fuse 6, is not susceptible to the vulnerability as there is nothing that deserializes XML from JSON in such a way that the underlying DOMDeserializer is implicitly used. This vulnerability is out of security support scope for the following products: * Red Hat JBoss AMQ 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:4312 https://access.redhat.com/errata/RHSA-2020:4312
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-25649
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:4402 https://access.redhat.com/errata/RHSA-2020:4402
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 Via RHSA-2020:4401 https://access.redhat.com/errata/RHSA-2020:4401
Mitigation: There is currently no known mitigation for this flaw.
This issue has been addressed in the following products: Vert.x 3.9.4 Via RHSA-2020:4379 https://access.redhat.com/errata/RHSA-2020:4379
Marking Red Hat Integration Service Registry as having a low impact, although service registry uses affected versions of jackson-databind its use is not susceptible to the vulnerability as there is nothing that deserializes XML from JSON in such a way that the underlying DOMDeserializer is implicitly used.
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:5344 https://access.redhat.com/errata/RHSA-2020:5344
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 Via RHSA-2020:5340 https://access.redhat.com/errata/RHSA-2020:5340
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 Via RHSA-2020:5341 https://access.redhat.com/errata/RHSA-2020:5341
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 Via RHSA-2020:5342 https://access.redhat.com/errata/RHSA-2020:5342
This issue has been addressed in the following products: Red Hat Data Grid 7.3.8 Via RHSA-2020:5410 https://access.redhat.com/errata/RHSA-2020:5410
This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2020:5533 https://access.redhat.com/errata/RHSA-2020:5533
This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2020:5361 https://access.redhat.com/errata/RHSA-2020:5361
This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2021:0381 https://access.redhat.com/errata/RHSA-2021:0381
Statement: * Red Hat Enterprise Linux 8 ships a vulnerable version of jackson-databind in the pki-deps:10.6 module. pki-deps:10.6 is for pki-core dependencies, but pki-core does not use the vulnerable DOMDeserializer class and thus has been set to low impact. Future updates may include fixed version of jackson-databind. * Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind code. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time. * Red Hat Virtualization ships a vulnerable version of jackson-databind, however the vulnerable DOMDeserializer class is not used in the code, therefore reducing impact to low. * Red Hat OpenShift Container Platform (OCP) ships a vulnerable version of jackson-databind, but in the affected containers the DOMDeserializer class is not used. Additionally access to the containers is restricted to authenticated users only (OpenShift OAuth authentication) reducing the severity of this vulnerability to Low. In OCP 4 there are no plans to maintain ose-logging-elasticsearch5 container, hence marked as wontfix. * Red Hat Satellite ships affected version of jackson-databind through Candlepin, however, product code does not use DOMDeserializer class and jackson-databind in a vulnerable way. Thus impact has been set to low. A future release may update jackson-databind to a fixed version. * Red Hat Single Sign-On (RH-SSO) ships affected version of jackson-databind, however, none of the product code is using the affected class (DOMDeserializer). Thus impact has been set to low. RH-SSO will consume the fixed artifact from EAP in the next CP.
Further to comment#33 and marking Red Hat Fuse 7 and Red Hat Integration Camel K as having a moderate impact we believe a low impact is more appropriate and better represents Red Hat's specification of a low impact flaw - https://access.redhat.com/security/updates/classification Which describes low impact vulnerabilities as "These are the types of vulnerabilities that are believed to require unlikely circumstances to be able to be exploited". In the case of jackson-databind `DomDeserializer` actually being called it we believe those unlikely circumstances to be *) Camel components making use of jackson-databind do not expose this functionality *) There are specialised components in camel to parse and deserialize DOM such as camel-jacksonxml which relies on jackson-dataformat-xml, jackson-dataformat-xml is not vulnerable to this XXE flaw *) We believe the usage pattern is itself unlikely and can find no further evidence of implicit use ```java ObjectMapper mapper = new ObjectMapper(); Document doc = mapper.readValue("\"<badxml/>\"", Document.class); ```
This issue has been addressed in the following products: Red Hat Integration - Camel K - Tech-Preview 3 Via RHSA-2021:0811 https://access.redhat.com/errata/RHSA-2021:0811
This issue has been addressed in the following products: Red Hat AMQ Streams 1.7.0 Via RHSA-2021:1260 https://access.redhat.com/errata/RHSA-2021:1260
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2021:1429 https://access.redhat.com/errata/RHSA-2021:1429
This issue has been addressed in the following products: Red Hat Integration Via RHSA-2021:2039 https://access.redhat.com/errata/RHSA-2021:2039
This issue has been addressed in the following products: RHPAM 7.11.0 Via RHSA-2021:2475 https://access.redhat.com/errata/RHSA-2021:2475
This issue has been addressed in the following products: RHDM 7.11.0 Via RHSA-2021:2476 https://access.redhat.com/errata/RHSA-2021:2476