Bug 1737517 (CVE-2019-14379)
| Summary: | CVE-2019-14379 jackson-databind: default typing mishandling leading to remote code execution | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | msiddiqu |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | ahardin, aileenc, akoufoud, alazarot, almorale, anstephe, aos-bugs, asoldano, ataylor, avibelli, bbaranow, bbuckingham, bcourt, bgeorges, bkearney, bleanhar, bmaxwell, bmontgom, brian.stansberry, btotty, cbyrne, ccoleman, cdewolf, chazlett, cmacedo, darran.lofthouse, dbecker, dedgar, deesharm, dffrench, dosoudil, drieden, drusso, eparis, etirelli, extras-orphan, ganandan, ggaughan, hhorak, hhudgeon, ibek, iweiss, janstey, java-sig-commits, jawilson, jbalunas, jburrell, jcantril, jgoulding, jjoyce, jmadigan, jochrist, jokerman, jolee, jorton, jpallich, jperkins, jschatte, jschluet, jshepherd, jstastny, jwon, kbasil, krathod, kverlaen, kwills, lef, lgao, lhh, lpeer, lpetrovi, lthon, lzap, mat.booth, mburns, mchappel, mhulan, mkolesni, mkoncek, mkosek, mmccune, mnovotny, msiddiqu, msochure, msvehla, mszynkie, ngough, nstielau, nwallace, paradhya, pdrozd, pgallagh, pmackay, prodsec-dev, psotirop, puntogil, pwright, rchan, rguimara, rhcs-maint, rjerrido, rrajasek, rruss, rsvoboda, rsynek, sclewis, scohen, sdaley, skitt, slinaber, smaestri, sponnaga, sthorger, tom.jenkinson, trepel, trogers, twalsh, vhalbert |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | jackson-databind 2.9.9.2, jackson-databind 2.10.0, jackson-databind 2.7.9.6, jackson-databind 2.8.11.4 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the ehcache and logback JNDI gadgets when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-09-13 12:45:32 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1737518, 1738404, 1738406, 1738407, 1738408, 1738409, 1738410, 1738411, 1739083, 1739084, 1740588, 1740589, 1740590, 1740591, 1940563 | ||
| Bug Blocks: | 1737522 | ||
|
Description
msiddiqu
2019-08-05 14:59:56 UTC
Created jackson-databind tracking bugs for this issue: Affects: fedora-all [bug 1737518] This vulnerability is out of security support scope for the following product: * Red Hat Mobile Application Platform Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. Statement: While OpenShift Container Platform's elasticsearch plugins do ship the vulnerable component, it doesn't do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release. Similarly, Satellite 6 does not enable polymorphic unmarshmalling, which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release. Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time. This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2019:2743 https://access.redhat.com/errata/RHSA-2019:2743 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-14379 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.1 Via RHSA-2019:2858 https://access.redhat.com/errata/RHSA-2019:2858 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8 Via RHSA-2019:2937 https://access.redhat.com/errata/RHSA-2019:2937 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6 Via RHSA-2019:2935 https://access.redhat.com/errata/RHSA-2019:2935 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7 Via RHSA-2019:2936 https://access.redhat.com/errata/RHSA-2019:2936 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2019:2938 https://access.redhat.com/errata/RHSA-2019:2938 This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2019:2998 https://access.redhat.com/errata/RHSA-2019:2998 This issue has been addressed in the following products: Red Hat Single Sign-On 7.3 for RHEL 6 Via RHSA-2019:3044 https://access.redhat.com/errata/RHSA-2019:3044 This issue has been addressed in the following products: Red Hat Single Sign-On 7.3 for RHEL 7 Via RHSA-2019:3045 https://access.redhat.com/errata/RHSA-2019:3045 This issue has been addressed in the following products: Red Hat Single Sign-On 7.3 for RHEL 8 Via RHSA-2019:3046 https://access.redhat.com/errata/RHSA-2019:3046 This issue has been addressed in the following products: Red Hat Single Sign-On 7.3.4 zip Via RHSA-2019:3050 https://access.redhat.com/errata/RHSA-2019:3050 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2019:3149 https://access.redhat.com/errata/RHSA-2019:3149 This issue has been addressed in the following products: Red Hat Decision Manager Via RHSA-2019:3292 https://access.redhat.com/errata/RHSA-2019:3292 This issue has been addressed in the following products: Red Hat Process Automation Via RHSA-2019:3297 https://access.redhat.com/errata/RHSA-2019:3297 This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Vert.x 3.8.3 Via RHSA-2019:3901 https://access.redhat.com/errata/RHSA-2019:3901 Mitigation: The following conditions are needed for an exploit, we recommend avoiding all if possible * Deserialization from sources you do not control * `enableDefaultTyping()` * `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS` This issue has been addressed in the following products: Red Hat Data Grid 7.3.3 Via RHSA-2020:0727 https://access.redhat.com/errata/RHSA-2020:0727 This issue has been addressed in the following products: Red Hat Fuse 7.6.0 Via RHSA-2020:0983 https://access.redhat.com/errata/RHSA-2020:0983 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2021:1230 https://access.redhat.com/errata/RHSA-2021:1230 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Via RHSA-2024:5856 https://access.redhat.com/errata/RHSA-2024:5856 |