Bug 1775293 (CVE-2019-17531)

Summary: CVE-2019-17531 jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.*
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact: Martin Kyral <mkyral>
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aboyko, aileenc, akoufoud, alazarot, almorale, anstephe, aos-bugs, asoldano, atangrin, ataylor, avibelli, bbaranow, bbuckingham, bcourt, bgeorges, bkearney, bmaxwell, bmontgom, brian.stansberry, btotty, cbyrne, cdewolf, chazlett, cmacedo, darran.lofthouse, decathorpe, dffrench, dkreling, dosoudil, drieden, drusso, eparis, etirelli, ganandan, ggaughan, hhorak, hhudgeon, ibek, iweiss, janstey, java-sig-commits, jawilson, jbalunas, jburrell, jcantril, jmadigan, jochrist, jokerman, jorton, jpallich, jperkins, jshepherd, jstastny, krathod, kverlaen, kwills, lef, lgao, lthon, lzap, mmccune, mnovotny, msochure, msvehla, mszynkie, ngough, nstielau, nwallace, paradhya, pdrozd, pgallagh, pmackay, psotirop, puntogil, pwright, rchan, rguimara, rhcs-maint, rjerrido, rmeggins, rrajasek, rruss, rsvoboda, rsynek, sdaley, smaestri, sokeeffe, sponnaga, stewardship-sig, sthorger, swoodman, tom.jenkinson, trepel, trogers, twalsh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jackson-databind 2.9.10.1, jackson-databind 2.6.7.3 Doc Type: If docs needed, set a value
Doc Text:
A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the log4j-extra gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-12-10 19:24:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1775300, 1776544, 1776545, 1776546, 1776548, 1777744, 1777745, 1777746, 1777747    
Bug Blocks: 1775297    

Description Dhananjay Arunesh 2019-11-21 16:58:45 UTC 
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.

Reference:
https://github.com/FasterXML/jackson-databind/issues/2498
Comment 1 Dhananjay Arunesh 2019-11-21 17:08:57 UTC 
Created jackson-databind tracking bugs for this issue:

Affects: fedora-all [bug 1775300]
Comment 3 Paramvir jindal 2019-11-22 06:53:48 UTC 
Marked RHSSO as affected fix because the fix version seems to be jackson-databind 2.9.10 and RHSSO 7.3.4 (latest as of today) ships jackson-databind-2.9.9.3-redhat-00001.jar.

rhsso-7.3/modules/system/layers/base/.overlays/layer-base-rh-sso-7.3.4.CP/com/fasterxml/jackson/core/jackson-databind/main/jackson-databind-2.9.9.3-redhat-00001.jar
Comment 5 Riccardo Schirone 2019-11-22 11:24:43 UTC 
Upstream patch:
https://github.com/FasterXML/jackson-databind/commit/b5a304a98590b6bb766134f9261e6566dcbbb6d0
Comment 21 errata-xmlrpc 2019-12-10 16:12:44 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2019:4192 https://access.redhat.com/errata/RHSA-2019:4192
Comment 22 Product Security DevOps Team 2019-12-10 19:24:07 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-17531
Comment 26 errata-xmlrpc 2020-01-21 02:24:10 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:0164 https://access.redhat.com/errata/RHSA-2020:0164
Comment 27 errata-xmlrpc 2020-01-21 02:56:43 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6

Via RHSA-2020:0159 https://access.redhat.com/errata/RHSA-2020:0159
Comment 28 errata-xmlrpc 2020-01-21 03:22:04 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8

Via RHSA-2020:0161 https://access.redhat.com/errata/RHSA-2020:0161
Comment 29 errata-xmlrpc 2020-01-21 03:46:52 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7

Via RHSA-2020:0160 https://access.redhat.com/errata/RHSA-2020:0160
Comment 30 errata-xmlrpc 2020-02-06 08:36:20 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2020:0445 https://access.redhat.com/errata/RHSA-2020:0445
Comment 31 Jonathan Christison 2020-02-28 15:06:17 UTC 
Mitigation:

The following conditions are needed for an exploit, we recommend avoiding all if possible
* Deserialization from sources you do not control
* `enableDefaultTyping()`
* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`
Comment 32 errata-xmlrpc 2020-03-18 14:52:25 UTC 
This issue has been addressed in the following products:

  Red Hat Process Automation

Via RHSA-2020:0895 https://access.redhat.com/errata/RHSA-2020:0895
Comment 33 errata-xmlrpc 2020-03-18 17:37:41 UTC 
This issue has been addressed in the following products:

  Red Hat Decision Manager

Via RHSA-2020:0899 https://access.redhat.com/errata/RHSA-2020:0899
Comment 34 errata-xmlrpc 2020-03-23 13:20:52 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss AMQ

Via RHSA-2020:0939 https://access.redhat.com/errata/RHSA-2020:0939
Comment 35 errata-xmlrpc 2020-04-28 15:34:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1644 https://access.redhat.com/errata/RHSA-2020:1644
Comment 36 errata-xmlrpc 2020-05-18 10:27:26 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2020:2067 https://access.redhat.com/errata/RHSA-2020:2067
Comment 37 errata-xmlrpc 2020-05-28 15:59:38 UTC 
This issue has been addressed in the following products:

  EAP-CD 19 Tech Preview

Via RHSA-2020:2333 https://access.redhat.com/errata/RHSA-2020:2333
Comment 38 errata-xmlrpc 2020-07-28 15:55:37 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.7.0

Via RHSA-2020:3192 https://access.redhat.com/errata/RHSA-2020:3192
Comment 40 Jason Shepherd 2021-03-17 01:28:52 UTC 
Statement:

Satellite 6 does not enable polymorphic unmarshmalling, which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.

Red Hat OpenShift Container Platform does ship the vulnerable component, but does not enable the unsafe conditions needed to exploit, lowering their vulnerability impact.