Bug 1549276 (CVE-2018-7489)
Summary: | CVE-2018-7489 jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | abhgupta, ahardin, aileenc, alazarot, anstephe, aos-bugs, avibelli, bbuckingham, bcourt, bgeorges, bkearney, bleanhar, bmaxwell, bmcclain, bmontgom, cbillett, cbuissar, ccoleman, cdewolf, chazlett, cmoulliard, csutherl, darran.lofthouse, dblechte, dedgar, dfediuck, dffrench, dimitris, dosoudil, drieden, drusso, eedri, eparis, etirelli, fgavrilo, hhorak, ibek, java-sig-commits, jawilson, jbalunas, jburrell, jcantril, jgoulding, jmadigan, jmatthew, jokerman, jolee, jondruse, jorton, jpallich, jschatte, jshepherd, jstastny, kbost, krathod, kverlaen, lef, lgao, lgriffin, loleary, lpetrovi, lsurette, lthon, mchappel, mgoldboi, miburman, michal.skrivanek, mmccune, mrike, mszynkie, myarboro, ngough, nlevy, nstielau, ohadlevy, paradhya, pgallagh, pgier, pjurak, ppalaga, psakar, pslavice, psotirop, puntogil, pwright, rchan, rcosta, Rhev-m-bugs, rjerrido, rnetuka, rrajasek, rruss, rstancel, rsvoboda, rsynek, rzhang, sbonazzo, sdaley, security-response-team, sfowler, sherold, spinder, sponnaga, srevivo, theute, tiwillia, tomckay, trepel, trogers, tsanders, twalsh, vhalbert, vkadlcik, vtunka, yjog, yozone, yturgema |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | jackson-databind 2.8.11.1, jackson-databind 2.9.5 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the c3p0 gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-08 03:41:22 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1549279, 1549393, 1549394, 1551886, 1551887, 1551888, 1561825, 1561826, 1582507, 1730588, 1731780, 1731787, 1731789, 1731790, 1731792, 1732286, 1732291, 1732539 | ||
Bug Blocks: | 1549282 |
Description
Pedro Sampaio
2018-02-26 21:21:52 UTC
Created jackson-databind tracking bugs for this issue: Affects: fedora-all [bug 1549279] RHMAP does not using RESTEasy in a unsafe way. Marking as not affected. RHOAR VertX uses c3p0 and jackson-databind 2.9.3, so is affected by this flaw. Filing a tracking bug which will target the 3.5.1 release. This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:1447 https://access.redhat.com/errata/RHSA-2018:1447 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2018:1448 https://access.redhat.com/errata/RHSA-2018:1448 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2018:1449 https://access.redhat.com/errata/RHSA-2018:1449 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Via RHSA-2018:1450 https://access.redhat.com/errata/RHSA-2018:1450 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2018:1451 https://access.redhat.com/errata/RHSA-2018:1451 External References: https://access.redhat.com/solutions/3442891 This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2018:1786 https://access.redhat.com/errata/RHSA-2018:1786 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:2088 https://access.redhat.com/errata/RHSA-2018:2088 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2018:2090 https://access.redhat.com/errata/RHSA-2018:2090 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Via RHSA-2018:2089 https://access.redhat.com/errata/RHSA-2018:2089 This issue has been addressed in the following products: Red Hat Openshift Application Runtimes (text-only advisories) Via RHSA-2018:2938 https://access.redhat.com/errata/RHSA-2018:2938 This issue has been addressed in the following products: Red Hat Fuse Intergration Services 2.0 based on Fuse 6.3 R8 Via RHSA-2018:2939 https://access.redhat.com/errata/RHSA-2018:2939 Statement: Subscription Asset Manager is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates. Satellite 6.2 does not support c3p0 classes. Since the latter are required for this flaw, therefore Satellite 6.2 is not affected. Satellite 6.3 and 6.4 are not affected because Candlepin does not use polymorphic deserialization. This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.1 Via RHSA-2019:2858 https://access.redhat.com/errata/RHSA-2019:2858 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2019:3149 https://access.redhat.com/errata/RHSA-2019:3149 Mitigation: Advice on how to remain safe while using JAX-RS webservices on JBoss EAP 7.x is available here: https://access.redhat.com/solutions/3279231 https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization General Mitigation: Try to avoid * Deserialization from sources you do not control * `enableDefaultTyping()` * `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS` This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:2562 https://access.redhat.com/errata/RHSA-2020:2562 |