Bug 1793154 (CVE-2019-20330)

Summary: CVE-2019-20330 jackson-databind: lacks certain net.sf.ehcache blocking
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aboyko, aileenc, akoufoud, alazarot, almorale, anstephe, aos-bugs, asoldano, atangrin, ataylor, avibelli, bbaranow, bbuckingham, bcourt, bgeorges, bkearney, bmaxwell, bmontgom, brian.stansberry, btotty, cbyrne, cdewolf, chazlett, cmacedo, darran.lofthouse, decathorpe, dffrench, dkreling, dosoudil, drieden, drusso, eparis, etirelli, ganandan, ggaughan, hhorak, hhudgeon, ibek, iweiss, janstey, java-maint, java-sig-commits, jawilson, jbalunas, jburrell, jcantril, jmadigan, jochrist, jokerman, jorton, jpallich, jperkins, jshepherd, jstastny, jwon, krathod, kverlaen, kwills, lef, lgao, lthon, lzap, mmccune, mnovotny, msochure, msvehla, mszynkie, ngough, nstielau, nwallace, paradhya, pdrozd, pgallagh, pjindal, pmackay, psotirop, puntogil, pwright, rchan, rguimara, rhcs-maint, rjerrido, rrajasek, rruss, rsvoboda, rsynek, sdaley, smaestri, sokeeffe, sponnaga, stewardship-sig, sthorger, swoodman, tom.jenkinson, trepel
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jackson-databind-2.9.10.2 Doc Type: If docs needed, set a value
Doc Text:
A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the ehcache gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-23 16:32:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1793804, 1793805, 1793806, 1793807, 1793808, 1807027, 1807028, 1807029, 1809055, 1809056    
Bug Blocks: 1793167    

Description Guilherme de Almeida Suckevicz 2020-01-20 20:02:19 UTC 
FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.

References:
https://github.com/FasterXML/jackson-databind/issues/2526
Comment 1 Fabio Valentini 2020-01-20 22:48:45 UTC 
fedora seems to be not affected by this, as we have jackson-databind 2.10.1 in fedora 30, 31, and rawhide:
https://apps.fedoraproject.org/packages/jackson-databind
Comment 4 Jason Shepherd 2020-01-22 04:09:44 UTC 
Statement:

While OpenShift Container Platform's elasticsearch plugins do ship the vulnerable component, it doesn't do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.
Comment 8 Jason Shepherd 2020-02-06 03:20:27 UTC 
Red Hat Mobile Application Platform is now End of Life:
https://access.redhat.com/support/policy/updates/rhmap
Comment 14 Eric Christensen 2020-03-04 20:46:07 UTC 
Mitigation:

The following conditions are needed for an exploit, we recommend avoiding all if possible:
* Deserialization from sources you do not control
* `enableDefaultTyping()`
* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`
Comment 15 errata-xmlrpc 2020-03-23 13:21:02 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss AMQ

Via RHSA-2020:0939 https://access.redhat.com/errata/RHSA-2020:0939
Comment 16 Product Security DevOps Team 2020-03-23 16:32:03 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-20330
Comment 17 errata-xmlrpc 2020-03-23 20:13:59 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2020:0951 https://access.redhat.com/errata/RHSA-2020:0951
Comment 20 Mauro Matteo Cascella 2020-04-23 09:41:29 UTC 
Upstream fix:
https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f25da738ef0d49c2f3387e
Comment 21 errata-xmlrpc 2020-05-18 10:27:29 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2020:2067 https://access.redhat.com/errata/RHSA-2020:2067
Comment 22 errata-xmlrpc 2020-05-28 15:59:40 UTC 
This issue has been addressed in the following products:

  EAP-CD 19 Tech Preview

Via RHSA-2020:2333 https://access.redhat.com/errata/RHSA-2020:2333
Comment 24 errata-xmlrpc 2020-07-28 15:55:44 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.7.0

Via RHSA-2020:3192 https://access.redhat.com/errata/RHSA-2020:3192
Comment 25 errata-xmlrpc 2020-07-29 06:07:28 UTC 
This issue has been addressed in the following products:

  Red Hat Decision Manager

Via RHSA-2020:3196 https://access.redhat.com/errata/RHSA-2020:3196
Comment 26 errata-xmlrpc 2020-07-29 06:22:40 UTC 
This issue has been addressed in the following products:

  Red Hat Process Automation

Via RHSA-2020:3197 https://access.redhat.com/errata/RHSA-2020:3197