Bug 1666423 (CVE-2018-14720)
| Summary: | CVE-2018-14720 jackson-databind: exfiltration/XXE in some JDK classes | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aboyko, ahardin, aos-bugs, asoldano, atangrin, bbaranow, bbuckingham, bcourt, bkearney, bleanhar, bmaxwell, bmcclain, bmontgom, brian.stansberry, cbillett, ccoleman, cdewolf, chazlett, csutherl, darran.lofthouse, dbecker, dblechte, dedgar, dfediuck, dimitris, dkreling, dosoudil, eedri, eparis, hhorak, iweiss, jawilson, jburrell, jcantril, jgoulding, jjoyce, jochrist, jokerman, jorton, jperkins, jschluet, jshepherd, jwon, kbasil, krathod, kwills, lgao, lhh, lpeer, mburns, mchappel, mgoldboi, michal.skrivanek, mkolesni, mmccune, mrike, msochure, msvehla, myarboro, nstielau, nwallace, ohadlevy, pgier, pjindal, pmackay, psakar, pslavice, psotirop, rchan, rguimara, rhcs-maint, rjerrido, rnetuka, rstancel, rsvoboda, sbonazzo, sclewis, sherold, slinaber, smaestri, sponnaga, tomckay, tom.jenkinson, twalsh, vtunka, yturgema |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | jackson-databind 2.9.7, jackson-databind 2.7.9.5, jackson-databind 2.8.11.3 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the slf4j, flex messaging, sun DRSHelper and JAX-WS gadgets when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-10 10:45:25 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1666424, 1672879, 1672880, 1672881, 1677138, 1677139, 1677140, 1677141, 1677142, 1730588, 1731780, 1731787, 1731789, 1731790, 1731792, 1732286, 1732291, 1732539, 1940563 | ||
| Bug Blocks: | 1666431 | ||
|
Description
Laura Pardo
2019-01-15 18:54:51 UTC
Created jackson-databind tracking bugs for this issue: Affects: fedora-all [bug 1666424] Statement: Red Hat Satellite 6 is not affected by this issue, since its only supported Java runtime (openJDK) doesn't bundle the com.sun.deploy.security.ruleset.DRSHelper class. Red Hat Enterprise Virtualization 4 is not affected by this issue, since its only supported Java runtime (openJDK) doesn't bundle the com.sun.deploy.security.ruleset.DRSHelper class. OpenDaylight is installed with the OpenJDK JRE, and as such, the JRE does not include the vulnerable class. In addition, the vulnerable class is not used by OpenDaylight, even though jackson-databind is included by the OpenDaylight-parent aggregator at vulnerable versions. I will still create Moderate priority trackers to get the library updated. This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2019:0782 https://access.redhat.com/errata/RHSA-2019:0782 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2019:1106 https://access.redhat.com/errata/RHSA-2019:1106 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6 Via RHSA-2019:1107 https://access.redhat.com/errata/RHSA-2019:1107 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7 Via RHSA-2019:1108 https://access.redhat.com/errata/RHSA-2019:1108 This issue has been addressed in the following products: Red Hat Single Sign-On 7.3.1 zip Via RHSA-2019:1140 https://access.redhat.com/errata/RHSA-2019:1140 This issue has been addressed in the following products: Red Hat Process Automation Via RHSA-2019:1823 https://access.redhat.com/errata/RHSA-2019:1823 This issue has been addressed in the following products: Red Hat Decision Manager Via RHSA-2019:1822 https://access.redhat.com/errata/RHSA-2019:1822 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.1 Via RHSA-2019:2858 https://access.redhat.com/errata/RHSA-2019:2858 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2019:3149 https://access.redhat.com/errata/RHSA-2019:3149 This issue has been addressed in the following products: Red Hat Fuse 7.5.0 Via RHSA-2019:3892 https://access.redhat.com/errata/RHSA-2019:3892 This issue has been addressed in the following products: Red Hat Data Grid Via RHSA-2019:4037 https://access.redhat.com/errata/RHSA-2019:4037 Mitigation: The following conditions are needed for an exploit, we recommend avoiding all if possible * Deserialization from sources you do not control * `enableDefaultTyping()` * `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS` This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:2564 https://access.redhat.com/errata/RHSA-2020:2564 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2021:1230 https://access.redhat.com/errata/RHSA-2021:1230 |