Bug 1882310 (CVE-2020-24750)
| Summary: | CVE-2020-24750 jackson-databind: Serialization gadgets in com.pastdev.httpcomponents.configuration.JndiConfiguration | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aboyko, aileenc, akoufoud, alazarot, almorale, anstephe, anthomas, aos-bugs, aschwart, asoldano, atangrin, ataylor, avibelli, bbaranow, bbuckingham, bcourt, bgeorges, bibryam, bkearney, bmaxwell, bmontgom, boliveir, brian.stansberry, btofel, btotty, cdewolf, chazlett, chfoley, clement.escoffier, cmiranda, dandread, darran.lofthouse, dbecker, dblechte, dbruscin, dfediuck, dhanak, dkreling, dosoudil, drieden, drosa, eedri, eglynn, ehelms, eleandro, eparis, eric.wittmann, etirelli, fjuma, ganandan, ggainey, ggaughan, gmalinko, gsmet, hbraun, hhorak, hhudgeon, ibek, istudens, ivassile, iweiss, janstey, java-maint, java-maint-sig, java-sig-commits, jawilson, jbalunas, jburrell, jcantril, jjoyce, jmartisk, jochrist, jokerman, jolee, jorton, jpallich, jperkins, jrokos, jross, jschatte, jschluet, jscholz, jstastny, juwatts, jwon, krathod, kvanderr, kverlaen, kwills, lef, lgao, lhh, lpeer, lsvaty, lthon, lzap, manderse, mburns, mgarciac, mgoldboi, mhulan, michal.skrivanek, mizdebsk, mkolesni, mmccune, mnovotny, mosmerov, mperina, mposolda, msochure, msvehla, mszynkie, nipatil, nmoumoul, nobody, nstielau, nwallace, olubyans, osousa, pantinor, pcongius, pcreech, pdelbell, pdrozd, pesilva, pgallagh, pgrist, pjindal, pmackay, probinso, psotirop, puntogil, rchan, rguimara, rhcs-maint, rjerrido, rkieley, rkubis, rrajasek, rruss, rstancel, rstepani, rsvoboda, rsynek, sausingh, sbiarozk, sbonazzo, sclewis, scohen, sdaley, sd-operator-metering, sdouglas, sherold, slinaber, smaestri, smallamp, sokeeffe, sponnaga, ssilvert, sthorger, swoodman, tom.jenkinson, tqvarnst, vhalbert, vmuzikar, yturgema |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | jackson-databind 2.9.10.6 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.6. The interaction between serialization gadgets and typing is mishandled. The highest threat from this vulnerability is to data confidentiality and system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-10-05 20:21:16 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1882313, 1882493, 1882494, 1882679, 1882680, 1882681, 1882682, 1882683, 1920722 | ||
| Bug Blocks: | 1882312 | ||
|
Description
Dhananjay Arunesh
2020-09-24 10:06:51 UTC
Created jackson-databind tracking bugs for this issue: Affects: fedora-all [bug 1882313] Mitigation: The following conditions are needed for an exploit, we recommend avoiding all if possible: * Deserialization from sources you do not control * `enableDefaultTyping()` * `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS` * avoid com.pastdev.httpcomponents in the classpath Upstream fix: https://github.com/FasterXML/jackson-databind/commit/6cc9f1a1af323cd156f5668a47e43bab324ae16f All active versions of Red Hat Satellite are using 2.10.0+ (2.10.1 to be exact), hence as per https://github.com/FasterXML/jackson-databind/issues/2798#issue-658400094, version is not affected to the flaw. Statement: The following Red Hat products do ship the vulnerable component, but do not enable the unsafe conditions needed to exploit: * JBoss Data Grid 7 * Business Process Management Suite 6 * Business Rules Management Suite 6 * JBoss Data Virtualization 6 * OpenShift Container Platform These products may update the jackson-databind dependency in a future release. The following Red Hat products ship OpenDaylight, which contains the vulnerable jackson-databind, but do not expose jackson-databind in a way that would make it exploitable * Red Hat OpenStack Platform 13 As such, Red Hat will not be providing a fix for OpenDaylight at this time. The following Red Hat products are not affected by this flaw because they use a more recent version of jackson-databind that does not contain the vulnerable code: * CodeReady Studio 12.16.0 * Red Hat Enterprise Linux 8 * Red Hat Enterprise Virtualization * Red Hat Satellite 6 We disagree with the base score of 9.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H and instead believe the Attack Complexity to be higher - 8.1/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Exploitability Metrics: Attack Vector Network (AV:N) - We agree here, Jackson-databind is commonly used by applications communicating across the network(s) a common example would be serializing and deserializing content for RESTful APIs, these are generally services available outside the local network and can be routable traffic. Attack Complexity Low (AC:L) -> Attack Complexity High (AC:H): We disagree with the original scoring of a low attack complexity, we believe the impact is significantly different depending on mitigating circumstances, that is to say a successful attack depends on conditions beyond the attacker's control, we believe those conditions are - * `enableDefaultTyping()` must be enabled - This by itself is a configuration option and something we must assume is enabled for the base score, however the vector from which data deserialized is application specific and an attacker must invest some time in discovering what that is, in other words the application must be written in such a way to deserialize from untrusted sources. * The exploit gadget (`com.pastdev.httpcomponents.configuration.JndiConfiguration`) must be available on the classpath, again this is application specific and is separate from configuration, again this is another factor outside the attackers control and they must gather knowledge about the target environment Privileges Required None (PR:N) - Agree here, the attacker does not need to be a privileged user eg. no login required to exploit the base flaw. User Interaction None (UI:N) Agree here, there is no need for the attacker to coerce a user into performing actions in order to exploit this vulnerability. Scope Unchanged (S:U) Agree here, the attacker will not be able to escape the scope of the executing JVM solely due to this flaw Impact Metrics: Confidentiality High (C:H) Agree here, upon a successful exploit an attacker can access all information available to the executing JVM Integrity High (I:H) We agree here, upon a successful exploit the attacker can arbitrarily run code (RCE) limited only by the scope of the executing JVM Availability High (A:H) We agree here, again as an attacker inherits the privileges of the JVM it is possible to fully deny access to resources in the impacted component, its possible such attacks can be persistent by means of file modification. This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:4173 https://access.redhat.com/errata/RHSA-2020:4173 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-24750 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2020:5635 https://access.redhat.com/errata/RHSA-2020:5635 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2021:1230 https://access.redhat.com/errata/RHSA-2021:1230 |