Bug 1755831 (CVE-2019-16335)
Summary: | CVE-2019-16335 jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aboyko, ahardin, aileenc, akoufoud, alazarot, almorale, anstephe, aos-bugs, asoldano, atangrin, ataylor, avibelli, bbaranow, bbuckingham, bcourt, bgeorges, bkearney, bleanhar, bmaxwell, bmontgom, brian.stansberry, btotty, cbyrne, ccoleman, cdewolf, chazlett, cmacedo, darran.lofthouse, dbecker, decathorpe, dedgar, dffrench, dkreling, dosoudil, drieden, drusso, eparis, etirelli, ganandan, ggaughan, hhorak, hhudgeon, ibek, iweiss, janstey, java-sig-commits, jawilson, jbalunas, jburrell, jcantril, jgoulding, jjoyce, jmadigan, jochrist, jokerman, jolee, jorton, jpallich, jperkins, jschatte, jschluet, jshepherd, jstastny, kbasil, krathod, kverlaen, kwills, lef, lgao, lhh, lpeer, lthon, lzap, mat.booth, mburns, mchappel, mkolesni, mmccune, mnovotny, msochure, msvehla, mszynkie, ngough, nstielau, nwallace, paradhya, pdrozd, pgallagh, pmackay, psotirop, puntogil, pwright, rchan, rguimara, rhcs-maint, rjerrido, rrajasek, rruss, rsvoboda, rsynek, sclewis, scohen, sdaley, slinaber, slong, smaestri, sponnaga, stewardship-sig, sthorger, swoodman, tom.jenkinson, trepel, trogers, twalsh, vhalbert |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | jackson-databind 2.9.10 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the HikariDataSource gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-10-24 12:51:20 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1755832, 1760278, 1760279, 1762564, 1762566, 1762567, 1762568, 1762569, 1762570, 1762571, 1762572, 1781719 | ||
Bug Blocks: | 1755833 |
Description
Dhananjay Arunesh
2019-09-26 10:04:04 UTC
Created jackson-databind tracking bugs for this issue: Affects: fedora-all [bug 1755832] Mitigation: This vulnerability relies on com.zaxxer.hikari.HikariDataSource being present in the application's ClassPath. Hikari is not packaged as an RPM for Red Hat Enterprise Linux or Red Hat Software Collections. Applications using jackson-databind that do not also use com.zaxxer.hikari are not impacted by this vulnerability. A mitigation to this class of problem in jackson-databind is to not trigger polymorphic desrialization globally by using: objectMapper.enableDefaultTyping() and rather use @JsonTypeInfo on the class property to explicitly define the type information. For more information on this issue please refer to https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true Upstream patch: https://github.com/FasterXML/jackson-databind/commit/73c1c2cc76e6cdd7f3a5615cbe3207fe96e4d3db This issue has been addressed in the following products: Red Hat JBoss AMQ Via RHSA-2019:3200 https://access.redhat.com/errata/RHSA-2019:3200 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-16335 Marking RHSSO as affected fix because the fix version seems to be jackson-databind 2.9.10 and RHSSO 7.3.4 (latest as of today) ships jackson-databind-2.9.9.3-redhat-00001.jar. JDG 7.3.4 ships jackson-databind-2.9.9.3-redhat-00001.jar which seems to be affected hence creating tracker for it : JDG/modules/system/add-ons/jdg/.overlays/layer-jdg-jboss-jdg-7.3.4.CP/com/fasterxml/jackson/core/jackson-databind/jdg-7.3/jackson-databind-2.9.9.3-redhat-00001.jar This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:0164 https://access.redhat.com/errata/RHSA-2020:0164 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6 Via RHSA-2020:0159 https://access.redhat.com/errata/RHSA-2020:0159 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8 Via RHSA-2020:0161 https://access.redhat.com/errata/RHSA-2020:0161 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7 Via RHSA-2020:0160 https://access.redhat.com/errata/RHSA-2020:0160 This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2020:0445 https://access.redhat.com/errata/RHSA-2020:0445 This issue has been addressed in the following products: Red Hat Data Grid 7.3.5 Via RHSA-2020:0729 https://access.redhat.com/errata/RHSA-2020:0729 This issue has been addressed in the following products: Red Hat Process Automation Via RHSA-2020:0895 https://access.redhat.com/errata/RHSA-2020:0895 This issue has been addressed in the following products: Red Hat Decision Manager Via RHSA-2020:0899 https://access.redhat.com/errata/RHSA-2020:0899 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1644 https://access.redhat.com/errata/RHSA-2020:1644 This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2020:2067 https://access.redhat.com/errata/RHSA-2020:2067 This issue has been addressed in the following products: EAP-CD 19 Tech Preview Via RHSA-2020:2333 https://access.redhat.com/errata/RHSA-2020:2333 This issue has been addressed in the following products: Red Hat Fuse 7.7.0 Via RHSA-2020:3192 https://access.redhat.com/errata/RHSA-2020:3192 Statement: Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time. Satellite 6 does not enable polymorphic unmarshmalling, which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release. While OpenShift Container Platform's elasticsearch plugins do ship the vulnerable component, it doesn't do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release. |