Bug 1713468 (CVE-2019-12086)
| Summary: | CVE-2019-12086 jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server. | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | msiddiqu |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | ahardin, aileenc, akoufoud, alazarot, almorale, anstephe, aos-bugs, ataylor, avibelli, bbuckingham, bcourt, bgeorges, bkearney, bleanhar, bmaxwell, bmontgom, btotty, cbyrne, ccoleman, cdewolf, chazlett, cmacedo, csutherl, darran.lofthouse, dbecker, dedgar, dffrench, dosoudil, drieden, drusso, eparis, etirelli, hhorak, hhudgeon, ibek, janstey, java-sig-commits, jawilson, jbalunas, jburrell, jcantril, jgoulding, jjoyce, jmadigan, jochrist, jokerman, jorton, jpallich, jschluet, jshepherd, kbasil, krathod, kverlaen, lef, lgao, lhh, lpeer, lthon, lzap, mburns, mchappel, mhulan, mkolesni, mmccune, mnovotny, mszynkie, ngough, nstielau, paradhya, pdrozd, pgallagh, pgier, psakar, pslavice, psotirop, puntogil, pwright, rchan, rhcs-maint, rjerrido, rnetuka, rrajasek, rruss, rsvoboda, rsynek, sclewis, scohen, sdaley, slinaber, sponnaga, sthorger, tom.jenkinson, trepel, trogers, twalsh, vtunka |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | jackson-databind 2.9.9 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the mysql gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to read arbitrary local files
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-09-27 00:45:35 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1713469, 1724441, 1724442, 1724443, 1730588, 1731780, 1731787, 1731789, 1731790, 1731792, 1732286, 1732291, 1732539 | ||
| Bug Blocks: | 1713470 | ||
|
Description
msiddiqu
2019-05-23 19:23:53 UTC
Created jackson-databind tracking bugs for this issue: Affects: fedora-all [bug 1713469] OpenDaylight in Red Hat OpenStack 9 & 10 was released as a technical preview and will not be receiving security updates. All versions of Red Hat OpenStack's OpenDaylight ships with the vulnerable package. However, OpenDaylight will not receive a fix for this issue at this time. This vulnerability is out of security support scope for the following product: * Red Hat Mobile Application Platform Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details This vulnerability is out of security support scope for the following products: * Red Hat JBoss Fuse 6 * Red Hat JBoss BPM Suite 6 * Red Hat JBoss A-MQ 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.1 Via RHSA-2019:2858 https://access.redhat.com/errata/RHSA-2019:2858 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-12086 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8 Via RHSA-2019:2937 https://access.redhat.com/errata/RHSA-2019:2937 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6 Via RHSA-2019:2935 https://access.redhat.com/errata/RHSA-2019:2935 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7 Via RHSA-2019:2936 https://access.redhat.com/errata/RHSA-2019:2936 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2019:2938 https://access.redhat.com/errata/RHSA-2019:2938 This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2019:2998 https://access.redhat.com/errata/RHSA-2019:2998 This issue has been addressed in the following products: Red Hat Single Sign-On 7.3 for RHEL 6 Via RHSA-2019:3044 https://access.redhat.com/errata/RHSA-2019:3044 This issue has been addressed in the following products: Red Hat Single Sign-On 7.3 for RHEL 7 Via RHSA-2019:3045 https://access.redhat.com/errata/RHSA-2019:3045 This issue has been addressed in the following products: Red Hat Single Sign-On 7.3 for RHEL 8 Via RHSA-2019:3046 https://access.redhat.com/errata/RHSA-2019:3046 This issue has been addressed in the following products: Red Hat Single Sign-On 7.3.4 zip Via RHSA-2019:3050 https://access.redhat.com/errata/RHSA-2019:3050 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2019:3149 https://access.redhat.com/errata/RHSA-2019:3149 Marking RHDM and RHPAM as not affected as it ships jackson-databind-2.9.9.3-redhat-00002.jar which is already fixed. Mitigation: The following conditions are needed for an exploit, we recommend avoiding all if possible * Deserialization from sources you do not control * `enableDefaultTyping()` * `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS` Statement: Red Hat Satellite 6 does not enable polymorphic unmarshmalling, which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release. This issue has been addressed in the following products: Red Hat Satellite 6.7 for RHEL 7 Via RHSA-2020:1454 https://access.redhat.com/errata/RHSA-2020:1454 This issue has been addressed in the following products: Red Hat Fuse 7.7.0 Via RHSA-2020:3192 https://access.redhat.com/errata/RHSA-2020:3192 |