Bug 1848966 (CVE-2020-14061)

Summary: CVE-2020-14061 jackson-databind: serialization in weblogic/oracle-aqjms
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aboyko, aileenc, akoufoud, alazarot, almorale, anstephe, aos-bugs, asoldano, atangrin, ataylor, avibelli, bbaranow, bbuckingham, bcourt, bgeorges, bibryam, bkearney, bmaxwell, bmontgom, brian.stansberry, btotty, cdewolf, chazlett, clement.escoffier, dandread, darran.lofthouse, dbecker, decathorpe, dkreling, dosoudil, drieden, eparis, etirelli, ganandan, ggaughan, gmalinko, gsmet, hhorak, hhudgeon, ibek, iweiss, janstey, java-maint, java-sig-commits, jawilson, jbalunas, jburrell, jcantril, jjoyce, jochrist, jokerman, jolee, jorton, jpallich, jperkins, jross, jschatte, jschluet, jstastny, jwon, krathod, kverlaen, kwills, lef, lgao, lhh, lpeer, lthon, lzap, mburns, mkolesni, mmccune, mnovotny, msochure, msvehla, mszynkie, nmoumoul, nstielau, nwallace, pantinor, paradhya, pdrozd, pgallagh, pjindal, pmackay, psotirop, puntogil, rchan, rguimara, rhcs-maint, rjerrido, rrajasek, rruss, rstancel, rsvoboda, rsynek, sbiarozk, sclewis, scohen, sdaley, sdouglas, slinaber, smaestri, sokeeffe, sponnaga, stewardship-sig, sthorger, swoodman, tom.jenkinson, vhalbert
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jackson-databind 2.9.10.5 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.5. FasterXML jackson-databind 2.x mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-28 19:28:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1848967, 1849551, 1849552, 1850641, 1850642, 1866715    
Bug Blocks: 1848970    

Description Dhananjay Arunesh 2020-06-19 12:05:08 UTC 
A vulnerability was found in FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory.

References:
https://github.com/FasterXML/jackson-databind/issues/2698
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
Comment 1 Dhananjay Arunesh 2020-06-19 12:06:26 UTC 
Created jackson-databind tracking bugs for this issue:

Affects: fedora-all [bug 1848967]
Comment 3 Chess Hazlett 2020-06-19 17:03:17 UTC 
Mitigation:

The following conditions are needed for an exploit, we recommend avoiding all if possible:
* Deserialization from sources you do not control
* enableDefaultTyping()
* @JsonTypeInfo using id.CLASS or id.MINIMAL_CLASS
* oracle.jms.AQjms*ConnectionFactory in classpath
Comment 16 Yadnyawalk Tale 2020-06-25 11:19:09 UTC 
Statement:

While OpenShift Container Platform's elasticsearch plugins do ship the vulnerable component, it doesn't do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.

Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.

The PKI module as shipped in Red Hat Enterprise Linux 8 and Red Hat Satellite 6 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used, lowering the impact of the vulnerability for the Product. We may update the jackson-databind dependency in a future release.

The version of jackson-databind as shipped in Red Hat Software Collections rh-maven35 is used only while building maven, thus it does not deserialize data coming from untrusted sources, lowering the impact of the vulnerability for the Product.
Comment 17 errata-xmlrpc 2020-07-28 15:57:19 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.7.0

Via RHSA-2020:3192 https://access.redhat.com/errata/RHSA-2020:3192
Comment 18 Product Security DevOps Team 2020-07-28 19:28:27 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-14061
Comment 19 errata-xmlrpc 2020-07-29 06:09:12 UTC 
This issue has been addressed in the following products:

  Red Hat Decision Manager

Via RHSA-2020:3196 https://access.redhat.com/errata/RHSA-2020:3196
Comment 20 errata-xmlrpc 2020-07-29 06:25:32 UTC 
This issue has been addressed in the following products:

  Red Hat Process Automation

Via RHSA-2020:3197 https://access.redhat.com/errata/RHSA-2020:3197
Comment 21 errata-xmlrpc 2020-10-27 12:57:16 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.7 for RHEL 8

Via RHSA-2020:4366 https://access.redhat.com/errata/RHSA-2020:4366