Bug 1758191 (CVE-2019-16943)

Summary: CVE-2019-16943 jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aboyko, aileenc, akoufoud, alazarot, almorale, anstephe, aos-bugs, asoldano, atangrin, ataylor, avibelli, bbaranow, bbuckingham, bcourt, bgeorges, bkearney, bmaxwell, bmontgom, brian.stansberry, btotty, cbyrne, cdewolf, chazlett, cmacedo, darran.lofthouse, dbecker, decathorpe, dffrench, dkreling, dosoudil, drieden, drusso, eparis, etirelli, ganandan, ggaughan, hhorak, hhudgeon, ibek, iweiss, janstey, java-sig-commits, jawilson, jbalunas, jburrell, jcantril, jjoyce, jmadigan, jochrist, jokerman, jolee, jorton, jpallich, jperkins, jschatte, jschluet, jshepherd, jstastny, kbasil, krathod, kverlaen, kwills, lef, lgao, lhh, lpeer, lthon, lzap, mburns, mkolesni, mmccune, mnovotny, msochure, msvehla, mszynkie, ngough, nstielau, nwallace, paradhya, pdrozd, pgallagh, pjindal, pmackay, psotirop, puntogil, pwright, rchan, rguimara, rhcs-maint, rjerrido, rrajasek, rruss, rsvoboda, rsynek, sclewis, scohen, sdaley, slinaber, smaestri, sponnaga, stewardship-sig, sthorger, swoodman, tbrisker, tom.jenkinson, trepel, twalsh, vhalbert
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the p6spy gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-01-21 08:09:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1758193, 1760289, 1760290, 1762564, 1762566, 1762567, 1762568, 1762569, 1762570, 1762571, 1762572, 1781719    
Bug Blocks: 1758195    

Description Pedro Sampaio 2019-10-03 13:58:18 UTC
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

Upstream issue:

https://github.com/FasterXML/jackson-databind/issues/2478

Upstream patch:

https://github.com/FasterXML/jackson-databind/commit/bc67eb11a7cf57561f861ff16f879f1fceb5779f
https://github.com/FasterXML/jackson-databind/commit/328a0f833daf6baa443ac3b37c818a0204714b0b
https://github.com/FasterXML/jackson-databind/commit/54aa38d87dcffa5ccc23e64922e9536c82c1b9c8

References:

https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

Comment 1 Pedro Sampaio 2019-10-03 13:58:40 UTC
Created jackson-databind tracking bugs for this issue:

Affects: fedora-all [bug 1758193]

Comment 9 Anten Skrabec 2019-10-29 21:22:40 UTC
RHOSP: doesn't expose jackson-databind externally in a vulnerable way.

Comment 10 Anten Skrabec 2019-10-29 21:22:49 UTC
Statement:

Satellite 6 does not enable polymorphic unmarshmalling, which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.

Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.

Comment 11 Paramvir jindal 2019-11-19 12:35:01 UTC
Marking RHSSO as affected fix because the fix version seems to be greater than jackson-databind 2.9.10 and RHSSO 7.3.4 (latest as of today) ships
jackson-databind-2.9.9.3-redhat-00001.jar.

Comment 17 Kunjan Rathod 2019-12-06 00:05:04 UTC
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss BPMS 6
 * Red Hat JBoss Data Virtualization & Services 6


Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 20 errata-xmlrpc 2020-01-21 02:24:00 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:0164 https://access.redhat.com/errata/RHSA-2020:0164

Comment 21 errata-xmlrpc 2020-01-21 02:56:34 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6

Via RHSA-2020:0159 https://access.redhat.com/errata/RHSA-2020:0159

Comment 22 errata-xmlrpc 2020-01-21 03:21:55 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8

Via RHSA-2020:0161 https://access.redhat.com/errata/RHSA-2020:0161

Comment 23 errata-xmlrpc 2020-01-21 03:46:43 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7

Via RHSA-2020:0160 https://access.redhat.com/errata/RHSA-2020:0160

Comment 24 Product Security DevOps Team 2020-01-21 08:09:58 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-16943

Comment 25 errata-xmlrpc 2020-02-06 08:35:59 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2020:0445 https://access.redhat.com/errata/RHSA-2020:0445

Comment 26 Jonathan Christison 2020-02-28 15:03:28 UTC
Mitigation:

The following conditions are needed for an exploit, we recommend avoiding all if possible
* Deserialization from sources you do not control
* `enableDefaultTyping()`
* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`

Comment 27 errata-xmlrpc 2020-03-18 14:52:20 UTC
This issue has been addressed in the following products:

  Red Hat Process Automation

Via RHSA-2020:0895 https://access.redhat.com/errata/RHSA-2020:0895

Comment 28 errata-xmlrpc 2020-03-18 17:37:25 UTC
This issue has been addressed in the following products:

  Red Hat Decision Manager

Via RHSA-2020:0899 https://access.redhat.com/errata/RHSA-2020:0899

Comment 29 errata-xmlrpc 2020-03-23 13:20:50 UTC
This issue has been addressed in the following products:

  Red Hat JBoss AMQ

Via RHSA-2020:0939 https://access.redhat.com/errata/RHSA-2020:0939

Comment 30 errata-xmlrpc 2020-04-28 15:34:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1644 https://access.redhat.com/errata/RHSA-2020:1644

Comment 32 errata-xmlrpc 2020-05-18 10:26:52 UTC
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2020:2067 https://access.redhat.com/errata/RHSA-2020:2067

Comment 33 errata-xmlrpc 2020-05-26 16:09:37 UTC
This issue has been addressed in the following products:

  Red Hat Data Grid 7.3.6

Via RHSA-2020:2321 https://access.redhat.com/errata/RHSA-2020:2321

Comment 34 errata-xmlrpc 2020-05-28 15:59:09 UTC
This issue has been addressed in the following products:

  EAP-CD 19 Tech Preview

Via RHSA-2020:2333 https://access.redhat.com/errata/RHSA-2020:2333