Bug 1506612 (CVE-2017-15095)

Summary: CVE-2017-15095 jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525)
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abhgupta, ahardin, aileenc, alazarot, anstephe, aos-bugs, bcourt, bkearney, bleanhar, bmaxwell, bmcclain, bmontgom, cbillett, ccoleman, cdewolf, chazlett, csutherl, darran.lofthouse, dblechte, dedgar, dimitris, dmoppert, dosoudil, drusso, eedri, eparis, etirelli, fgavrilo, hhorak, ibek, java-sig-commits, jawilson, jburrell, jcantril, jcoleman, jgoulding, jmadigan, jmatthew, jokerman, jolee, jondruse, jorton, jshepherd, jstastny, kpiwko, kverlaen, lef, lgao, lgriffin, loleary, lpetrovi, lsurette, mchappel, mgoldboi, miburman, michal.skrivanek, mmccune, mrike, myarboro, ngough, nstielau, nwallace, ohadlevy, paradhya, pbraun, pgier, pjurak, ppalaga, psakar, pslavice, psotirop, puntogil, pwright, Rhev-m-bugs, rnetuka, rrajasek, rstancel, rsvoboda, rsynek, rzhang, sdaley, security-response-team, sfowler, sherold, spinder, sponnaga, srevivo, theute, tiwillia, tomckay, tsanders, twalsh, vhalbert, vkadlcik, vtunka, ykaul
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jackson-databind 2.8.10, jackson-databind-2.9.2 Doc Type: If docs needed, set a value
Doc Text:
A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:29:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1506725, 1506726, 1507388, 1507389, 1507699, 1507700, 1507701, 1507702, 1507703, 1508703, 1510363, 1515023, 1527998, 1527999, 1730588, 1731780, 1731787, 1731789, 1731790, 1731792, 1732286, 1732291, 1732539    
Bug Blocks: 1503101    

Description Adam Mariš 2017-10-26 12:52:37 UTC 
An unsafe deserialization vulnerability was found due to incomplete blacklisting of the unsafe elements. This issue is incomplete fix for CVE-2017-7525.
Comment 1 Adam Mariš 2017-10-26 12:52:42 UTC 
Acknowledgments:

Name: Liao Xinxi (NSFOCUS)
Comment 3 Doran Moppert 2017-10-27 02:57:11 UTC 
Other distributions may have made the same mistake, since the original upstream ticket was closed before additional names were added to the blacklist.

Original ticket + patches (CVE-2017-7525):

  https://github.com/FasterXML/jackson-databind/issues/1599
  https://github.com/FasterXML/jackson-databind/commit/60d459ce
  https://github.com/FasterXML/jackson-databind/commit/3bfbb835

Further tickets and patches to block more dangerous types (I think these are all):

  https://github.com/FasterXML/jackson-databind/issues/1680
  https://github.com/FasterXML/jackson-databind/issues/1723
  https://github.com/FasterXML/jackson-databind/issues/1737

  https://github.com/FasterXML/jackson-databind/commit/e8f043d1
  https://github.com/FasterXML/jackson-databind/commit/ddfddfba

This CVE-2017-15095 should be considered to include everything in NO_DESER_CLASS_NAMES as of today:

  https://github.com/FasterXML/jackson-databind/blob/7093008aa2afe8068e120df850189ae072dfa1b2/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java#L43
Comment 11 Doran Moppert 2017-11-02 01:20:35 UTC 
Created jackson-databind tracking bugs for this issue:

Affects: fedora-all [bug 1508703]
Comment 13 Doran Moppert 2017-11-07 06:43:25 UTC 
Mitigation:

Mitigation to this problem is to not trigger polymorphic desrialization globally by using: objectMapper.enableDefaultTyping() and rather use @JsonTypeInfo on the class property to explicitly define the type information. For more information on this issue please refer to https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true
Comment 14 errata-xmlrpc 2017-11-13 04:25:09 UTC 
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2017:3189 https://access.redhat.com/errata/RHSA-2017:3189
Comment 15 errata-xmlrpc 2017-11-13 04:37:02 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2017:3190 https://access.redhat.com/errata/RHSA-2017:3190
Comment 23 Jason Shepherd 2017-12-14 06:03:51 UTC 
Statement:

This issue affects the versions of jackson-databind (in Satellite 6.0 and 6.1) and candlepin (which embeds a copy of jackson-databind in Satellite 6.2) as shipped with Red Hat Satellite 6.x. However the affected code is NOT used at this time:

Candlepin currently uses the default type resolution configuration for the ObjectMappers it creates/uses. Nowhere in candlepin do we enable global polymorphic deserialization via enableDefaultTyping(...), therefore based on the documentation sited BZ 1462702 , candlepin should not be affected.

However as the vulnerable software ships with the product we have marked them as vulnerable to ensure the issue is tracked.

JBoss EAP 7.x only uses the vulnerable Jackson Databind library for marshalling and unmarshalling of JSON objects passed to JAX-RS webservices. Some advise about how to remain safe when using JAX-RS webservices on JBoss EAP 7.x is available here: 

https://access.redhat.com/solutions/3279231
Comment 30 errata-xmlrpc 2018-02-22 09:21:31 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2018:0342 https://access.redhat.com/errata/RHSA-2018:0342
Comment 31 errata-xmlrpc 2018-03-12 16:39:41 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2018:0478 https://access.redhat.com/errata/RHSA-2018:0478
Comment 32 errata-xmlrpc 2018-03-12 17:00:01 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7

Via RHSA-2018:0480 https://access.redhat.com/errata/RHSA-2018:0480
Comment 33 errata-xmlrpc 2018-03-12 17:02:49 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2018:0479 https://access.redhat.com/errata/RHSA-2018:0479
Comment 34 errata-xmlrpc 2018-03-12 17:23:08 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2018:0481 https://access.redhat.com/errata/RHSA-2018:0481
Comment 35 errata-xmlrpc 2018-03-22 08:09:13 UTC 
This issue has been addressed in the following products:

  Red Hat Decision Manager

Via RHSA-2018:0576 https://access.redhat.com/errata/RHSA-2018:0576
Comment 36 errata-xmlrpc 2018-03-22 08:10:47 UTC 
This issue has been addressed in the following products:

  Red Hat Business Automation

Via RHSA-2018:0577 https://access.redhat.com/errata/RHSA-2018:0577
Comment 37 errata-xmlrpc 2018-05-14 20:15:39 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2018:1447 https://access.redhat.com/errata/RHSA-2018:1447
Comment 38 errata-xmlrpc 2018-05-14 20:36:10 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2018:1448 https://access.redhat.com/errata/RHSA-2018:1448
Comment 39 errata-xmlrpc 2018-05-14 20:38:31 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2018:1449 https://access.redhat.com/errata/RHSA-2018:1449
Comment 40 errata-xmlrpc 2018-05-14 20:42:42 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5

Via RHSA-2018:1450 https://access.redhat.com/errata/RHSA-2018:1450
Comment 41 errata-xmlrpc 2018-05-14 20:50:27 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2018:1451 https://access.redhat.com/errata/RHSA-2018:1451
Comment 43 Bharti Kundal 2018-05-16 07:34:50 UTC 
External References:

https://access.redhat.com/solutions/3442891
Comment 44 errata-xmlrpc 2018-10-16 15:20:00 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.4 for RHEL 7

Via RHSA-2018:2927 https://access.redhat.com/errata/RHSA-2018:2927
Comment 55 errata-xmlrpc 2019-09-27 00:13:37 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.1

Via RHSA-2019:2858 https://access.redhat.com/errata/RHSA-2019:2858
Comment 56 errata-xmlrpc 2019-10-18 19:52:19 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2019:3149 https://access.redhat.com/errata/RHSA-2019:3149
Comment 57 errata-xmlrpc 2019-11-14 21:17:51 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.5.0

Via RHSA-2019:3892 https://access.redhat.com/errata/RHSA-2019:3892