Bug 1538332 (CVE-2018-5968)
| Summary: | CVE-2018-5968 jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and CVE-2017-17485) | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | ahardin, aileenc, alazarot, anstephe, aos-bugs, apinnick, bcourt, bdawidow, bkearney, bleanhar, bmaxwell, bmcclain, bmontgom, cbillett, ccoleman, cdewolf, chazlett, csutherl, darran.lofthouse, dblechte, dedgar, dimitris, dmcphers, dmoppert, dosoudil, drieden, eedri, eparis, etirelli, fgavrilo, hhorak, ibek, java-sig-commits, jawilson, jburrell, jcantril, jcoleman, jgoulding, jmatthew, jokerman, jolee, jondruse, jorton, jschatte, jshepherd, jstastny, krathod, kverlaen, lef, lgao, lpetrovi, mchappel, mgoldboi, michal.skrivanek, mmccune, mrike, myarboro, nstielau, nwallace, ohadlevy, paradhya, pdrozd, pgier, pjurak, ppalaga, psakar, pslavice, psotirop, puntogil, rchan, rnetuka, rrajasek, rstancel, rsvoboda, rsynek, rzhang, sdaley, sherold, sponnaga, sthorger, tomckay, tsanders, twalsh, vhalbert, vkadlcik, vtunka, ykaul |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | jackson-databind-2.9.4 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A deserialization flaw was discovered in the jackson-databind that could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaws CVE-2017-7525 and CVE-2017-17485 by blacklisting more classes that could be used maliciously.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-08 03:38:12 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1538333, 1538395, 1539162, 1539163, 1551370, 1551371, 1551372, 1565285, 1730588, 1731780, 1731787, 1731789, 1731790, 1731792, 1732286, 1732291, 1732539 | ||
| Bug Blocks: | 1538335 | ||
|
Description
Laura Pardo
2018-01-24 20:31:59 UTC
Created jackson-databind tracking bugs for this issue: Affects: fedora-all [bug 1538333] Reduced to moderate after internal discussions about ratings on flaws versus ratings per product. A moderate rating on the flaw will allow CVE pages and automated tools to better understand our impact rating of this flaw. We expect most products are not vulnerable because of their configuration. If you're making use of JAX-RS Webservices in JBoss EAP 7, or a layered product please check that the webservices are coded according to the advise in: https://access.redhat.com/solutions/3279231 https://access.redhat.com/security/cve/CVE-2018-5968 says that rh-eclipse46-jackson-databind is under investigation. Please, look at rh-eclipse47-jackson-databind as well. Statement: JBoss EAP 7.x only uses the vulnerable Jackson Databind library for marshalling and unmarshalling of JSON objects passed to JAX-RS webservices. Some advice about how to remain safe when using JAX-RS webservices on JBoss EAP 7.x is available here: https://access.redhat.com/solutions/3279231 This issue affects the versions of jackson-databind (in Satellite 6.0 and 6.1) and candlepin (which embeds a copy of jackson-databind in Satellite 6.2) as shipped with Red Hat Satellitw 6.x. However the affected code is NOT used at this time: Candlepin currently uses the default type resolution configuration for the ObjectMappers it creates/uses. Nowhere in candlepin do we enable global polymorphic deserialization via enableDefaultTyping(...), therefore based on the documentation sited BZ 1462702 , candlepin should not be affected. However as the vulnerable software ships with the product we have marked them as vulnerable to ensure the issue is tracked. Red Hat Subscription Asset Manager version 1 is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having Important security impact and is not currently planned to be addressed in future updates. This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:0478 https://access.redhat.com/errata/RHSA-2018:0478 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Via RHSA-2018:0480 https://access.redhat.com/errata/RHSA-2018:0480 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2018:0479 https://access.redhat.com/errata/RHSA-2018:0479 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2018:0481 https://access.redhat.com/errata/RHSA-2018:0481 This issue has been addressed in the following products: Red Hat Virtualization 4 for RHEL-7 Via RHSA-2018:1525 https://access.redhat.com/errata/RHSA-2018:1525 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.1 Via RHSA-2019:2858 https://access.redhat.com/errata/RHSA-2019:2858 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2019:3149 https://access.redhat.com/errata/RHSA-2019:3149 |