jackson-databind 2.9.10.6 is affected by: SSRF,Deserialization vulnerability. The impact is: SSRF (remote). The component is: Use jackson-databind version 2.9.10.6 and create an ObjectMapper object mapper. When using mapper.enableDefaultTyping(), call mapper.readValue(payload="[\"javax.swing.JTextPane\",{\"page\":\"remoteaddr\"}], Object.class) can cause ssrf. References: https://github.com/FasterXML/jackson-databind/issues/2854
Current Satellite versions and upcoming versions are using jackson-databind-2.10+ which are not affected by the vulnerability. rhn_satellite:6.7/candlepin-0:2.9.30-1.el7sat:jackson-databind-2.10.1 rhn_satellite:6.8/candlepin-0:3.1.22-1.el7sat:jackson-databind-2.10.1 upcoming:rhn_satellite:6.9/candlepin-0:3.1.23-1.el7sat:jackson-databind-2.10.1.jar
Created jackson-databind tracking bugs for this issue: Affects: fedora-all [bug 1917284]
Mitigation: The following conditions are needed for an exploit, we recommend avoiding all if possible: * Deserialization from sources you do not control * `enableDefaultTyping()` * `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS` * avoid javax.swing in the classpath
Upstream patch: https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a
External References: https://github.com/advisories/GHSA-5949-rw7g-wx7w
Statement: The following Red Hat products do ship the vulnerable component, but do not enable the unsafe conditions needed to exploit, lowering their vulnerability impact: * JBoss Data Grid 7 * Business Process Management Suite 6 * Business Rules Management Suite 6 * JBoss Data Virtualization 6 * Red Hat Fuse Service Works 6 * Red Hat OpenStack Platform * Red Hat OpenShift containers: ose-metering-hadoop, ose-metering-hive, ose-logging-elasticsearch5, ose-logging-elasticsearch6 These products may update the jackson-databind dependency in a future release. In Red Hat Openshift 4 there are no plans to maintain the ose-logging-elasticsearch5 container, therefore it has been marked wontfix at this time and may be fixed in a future update. The following Red Hat products ship OpenDaylight, which contains the vulnerable jackson-databind, but do not expose jackson-databind in a way that would make it exploitable: * Red Hat OpenStack Platform 13 As such, Red Hat will not be providing a fix for OpenDaylight at this time. The following Red Hat products are not affected by this flaw because they use a more recent version of jackson-databind that does not contain the vulnerable code: * CodeReady Studio 12.16.0 * CodeReady WorkSpaces Server Container * Red Hat Enterprise Linux 8 * Red Hat Enterprise Virtualization * Red Hat Satellite 6 * Red Hat OpenShift container: ose-metering-presto
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2021:1230 https://access.redhat.com/errata/RHSA-2021:1230
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-20190
Hi team, Does RHEL7 affected by cve-2021-20190? Best regards, Jian Jia