Bug 1755831 (CVE-2019-16335)

Summary: CVE-2019-16335 jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aboyko, ahardin, aileenc, akoufoud, alazarot, almorale, anstephe, aos-bugs, asoldano, atangrin, ataylor, avibelli, bbaranow, bbuckingham, bcourt, bgeorges, bkearney, bleanhar, bmaxwell, bmontgom, brian.stansberry, btotty, cbyrne, ccoleman, cdewolf, chazlett, cmacedo, darran.lofthouse, dbecker, decathorpe, dedgar, dffrench, dkreling, dosoudil, drieden, drusso, eparis, etirelli, ganandan, ggaughan, hhorak, hhudgeon, ibek, iweiss, janstey, java-sig-commits, jawilson, jbalunas, jburrell, jcantril, jgoulding, jjoyce, jmadigan, jochrist, jokerman, jolee, jorton, jpallich, jperkins, jschatte, jschluet, jshepherd, jstastny, kbasil, krathod, kverlaen, kwills, lef, lgao, lhh, lpeer, lthon, lzap, mat.booth, mburns, mchappel, mkolesni, mmccune, mnovotny, msochure, msvehla, mszynkie, ngough, nstielau, nwallace, paradhya, pdrozd, pgallagh, pmackay, psotirop, puntogil, pwright, rchan, rguimara, rhcs-maint, rjerrido, rrajasek, rruss, rsvoboda, rsynek, sclewis, scohen, sdaley, slinaber, slong, smaestri, sponnaga, stewardship-sig, sthorger, swoodman, tom.jenkinson, trepel, trogers, twalsh, vhalbert
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jackson-databind 2.9.10 Doc Type: If docs needed, set a value
Doc Text:
A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the HikariDataSource gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-10-24 12:51:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1755832, 1760278, 1760279, 1762564, 1762566, 1762567, 1762568, 1762569, 1762570, 1762571, 1762572, 1781719    
Bug Blocks: 1755833    

Description Dhananjay Arunesh 2019-09-26 10:04:04 UTC
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.

Reference:
https://github.com/FasterXML/jackson-databind/issues/2449
https://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69@%3Ccommits.tinkerpop.apache.org%3E
https://lists.apache.org/thread.html/40c00861b53bb611dee7d6f35f864aa7d1c1bd77df28db597cbf27e1@%3Cissues.hbase.apache.org%3E

Comment 1 Dhananjay Arunesh 2019-09-26 10:04:30 UTC
Created jackson-databind tracking bugs for this issue:

Affects: fedora-all [bug 1755832]

Comment 5 Doran Moppert 2019-10-10 03:40:26 UTC
Mitigation:

This vulnerability relies on com.zaxxer.hikari.HikariDataSource being present in the application's ClassPath. Hikari is not packaged as an RPM for Red Hat Enterprise Linux or Red Hat Software Collections. Applications using jackson-databind that do not also use com.zaxxer.hikari are not impacted by this vulnerability.

A mitigation to this class of problem in jackson-databind is to not trigger polymorphic desrialization globally by using: objectMapper.enableDefaultTyping() and rather use @JsonTypeInfo on the class property to explicitly define the type information. For more information on this issue please refer to https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true

Comment 12 errata-xmlrpc 2019-10-24 09:18:22 UTC
This issue has been addressed in the following products:

  Red Hat JBoss AMQ

Via RHSA-2019:3200 https://access.redhat.com/errata/RHSA-2019:3200

Comment 13 Product Security DevOps Team 2019-10-24 12:51:20 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-16335

Comment 14 Paramvir jindal 2019-11-19 11:08:09 UTC
Marking RHSSO as affected fix because the fix version seems to be jackson-databind 2.9.10 and RHSSO 7.3.4 (latest as of today) ships jackson-databind-2.9.9.3-redhat-00001.jar.

Comment 20 Paramvir jindal 2019-12-17 09:20:47 UTC
JDG 7.3.4 ships jackson-databind-2.9.9.3-redhat-00001.jar which seems to be affected hence creating tracker for it : 

JDG/modules/system/add-ons/jdg/.overlays/layer-jdg-jboss-jdg-7.3.4.CP/com/fasterxml/jackson/core/jackson-databind/jdg-7.3/jackson-databind-2.9.9.3-redhat-00001.jar

Comment 23 errata-xmlrpc 2020-01-21 02:23:43 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:0164 https://access.redhat.com/errata/RHSA-2020:0164

Comment 24 errata-xmlrpc 2020-01-21 02:56:17 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6

Via RHSA-2020:0159 https://access.redhat.com/errata/RHSA-2020:0159

Comment 25 errata-xmlrpc 2020-01-21 03:21:37 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8

Via RHSA-2020:0161 https://access.redhat.com/errata/RHSA-2020:0161

Comment 26 errata-xmlrpc 2020-01-21 03:46:25 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7

Via RHSA-2020:0160 https://access.redhat.com/errata/RHSA-2020:0160

Comment 27 errata-xmlrpc 2020-02-06 08:35:08 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2020:0445 https://access.redhat.com/errata/RHSA-2020:0445

Comment 28 errata-xmlrpc 2020-03-05 13:12:56 UTC
This issue has been addressed in the following products:

  Red Hat Data Grid 7.3.5

Via RHSA-2020:0729 https://access.redhat.com/errata/RHSA-2020:0729

Comment 29 errata-xmlrpc 2020-03-18 14:51:53 UTC
This issue has been addressed in the following products:

  Red Hat Process Automation

Via RHSA-2020:0895 https://access.redhat.com/errata/RHSA-2020:0895

Comment 30 errata-xmlrpc 2020-03-18 17:38:09 UTC
This issue has been addressed in the following products:

  Red Hat Decision Manager

Via RHSA-2020:0899 https://access.redhat.com/errata/RHSA-2020:0899

Comment 31 errata-xmlrpc 2020-04-28 15:34:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1644 https://access.redhat.com/errata/RHSA-2020:1644

Comment 33 errata-xmlrpc 2020-05-18 10:26:13 UTC
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2020:2067 https://access.redhat.com/errata/RHSA-2020:2067

Comment 34 errata-xmlrpc 2020-05-28 15:58:47 UTC
This issue has been addressed in the following products:

  EAP-CD 19 Tech Preview

Via RHSA-2020:2333 https://access.redhat.com/errata/RHSA-2020:2333

Comment 35 errata-xmlrpc 2020-07-28 15:54:42 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.7.0

Via RHSA-2020:3192 https://access.redhat.com/errata/RHSA-2020:3192

Comment 37 Jason Shepherd 2021-03-17 01:55:52 UTC
Statement:

Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.

Satellite 6 does not enable polymorphic unmarshmalling, which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.

While OpenShift Container Platform's elasticsearch plugins do ship the vulnerable component, it doesn't do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.