Bug 1506612 (CVE-2017-15095) - CVE-2017-15095 jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525)
Summary: CVE-2017-15095 jackson-databind: Unsafe deserialization due to incomplete bla...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-15095
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1506725 1506726 1507388 1507389 1507699 1507700 1507701 1507702 1507703 1508703 1510363 1515023 1527998 1527999 1730588 1731780 1731787 1731789 1731790 1731792 1732286 1732291 1732539
Blocks: 1503101
TreeView+ depends on / blocked
 
Reported: 2017-10-26 12:52 UTC by Adam Mariš
Modified: 2019-10-18 19:52 UTC (History)
90 users (show)

Fixed In Version: jackson-databind 2.8.10, jackson-databind-2.9.2
Doc Type: If docs needed, set a value
Doc Text:
A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
Clone Of:
Environment:
Last Closed: 2019-06-08 03:29:58 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:3189 normal SHIPPED_LIVE Important: rh-eclipse47-jackson-databind security update 2017-11-13 09:24:47 UTC
Red Hat Product Errata RHSA-2017:3190 normal SHIPPED_LIVE Important: rh-eclipse46-jackson-databind security update 2017-11-13 09:36:35 UTC
Red Hat Product Errata RHSA-2018:0342 normal SHIPPED_LIVE Important: rh-maven35-jackson-databind security update 2018-02-22 14:21:40 UTC
Red Hat Product Errata RHSA-2018:0478 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 7.1.1 security update 2018-03-12 20:37:39 UTC
Red Hat Product Errata RHSA-2018:0479 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 7.1.1 on RHEL 6 2018-03-12 21:04:50 UTC
Red Hat Product Errata RHSA-2018:0480 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 7.1.1 for RHEL 7 2018-03-12 21:03:31 UTC
Red Hat Product Errata RHSA-2018:0481 normal SHIPPED_LIVE Important: jboss-ec2-eap package for EAP 7.1.1 2018-03-12 21:31:33 UTC
Red Hat Product Errata RHSA-2018:0576 None None None 2018-03-22 08:09:46 UTC
Red Hat Product Errata RHSA-2018:0577 None None None 2018-03-22 08:11:18 UTC
Red Hat Product Errata RHSA-2018:1447 None None None 2018-05-14 20:16:09 UTC
Red Hat Product Errata RHSA-2018:1448 None None None 2018-05-14 20:36:39 UTC
Red Hat Product Errata RHSA-2018:1449 None None None 2018-05-14 20:38:55 UTC
Red Hat Product Errata RHSA-2018:1450 None None None 2018-05-14 20:43:10 UTC
Red Hat Product Errata RHSA-2018:1451 None None None 2018-05-14 20:50:57 UTC
Red Hat Product Errata RHSA-2018:2927 None None None 2018-10-16 15:20:36 UTC
Red Hat Product Errata RHSA-2019:2858 None None None 2019-09-27 00:13:40 UTC
Red Hat Product Errata RHSA-2019:3149 None None None 2019-10-18 19:52:24 UTC

Description Adam Mariš 2017-10-26 12:52:37 UTC
An unsafe deserialization vulnerability was found due to incomplete blacklisting of the unsafe elements. This issue is incomplete fix for CVE-2017-7525.

Comment 1 Adam Mariš 2017-10-26 12:52:42 UTC
Acknowledgments:

Name: Liao Xinxi (NSFOCUS)

Comment 11 Doran Moppert 2017-11-02 01:20:35 UTC
Created jackson-databind tracking bugs for this issue:

Affects: fedora-all [bug 1508703]

Comment 13 Doran Moppert 2017-11-07 06:43:25 UTC
Mitigation:

Mitigation to this problem is to not trigger polymorphic desrialization globally by using: objectMapper.enableDefaultTyping() and rather use @JsonTypeInfo on the class property to explicitly define the type information. For more information on this issue please refer to https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true

Comment 14 errata-xmlrpc 2017-11-13 04:25:09 UTC
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2017:3189 https://access.redhat.com/errata/RHSA-2017:3189

Comment 15 errata-xmlrpc 2017-11-13 04:37:02 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2017:3190 https://access.redhat.com/errata/RHSA-2017:3190

Comment 23 Jason Shepherd 2017-12-14 06:03:51 UTC
Statement:

This issue affects the versions of jackson-databind (in Satellite 6.0 and 6.1) and candlepin (which embeds a copy of jackson-databind in Satellite 6.2) as shipped with Red Hat Satellite 6.x. However the affected code is NOT used at this time:

Candlepin currently uses the default type resolution configuration for the ObjectMappers it creates/uses. Nowhere in candlepin do we enable global polymorphic deserialization via enableDefaultTyping(...), therefore based on the documentation sited BZ 1462702 , candlepin should not be affected.

However as the vulnerable software ships with the product we have marked them as vulnerable to ensure the issue is tracked.

JBoss EAP 7.x only uses the vulnerable Jackson Databind library for marshalling and unmarshalling of JSON objects passed to JAX-RS webservices. Some advise about how to remain safe when using JAX-RS webservices on JBoss EAP 7.x is available here: 

https://access.redhat.com/solutions/3279231

Comment 30 errata-xmlrpc 2018-02-22 09:21:31 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2018:0342 https://access.redhat.com/errata/RHSA-2018:0342

Comment 31 errata-xmlrpc 2018-03-12 16:39:41 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2018:0478 https://access.redhat.com/errata/RHSA-2018:0478

Comment 32 errata-xmlrpc 2018-03-12 17:00:01 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7

Via RHSA-2018:0480 https://access.redhat.com/errata/RHSA-2018:0480

Comment 33 errata-xmlrpc 2018-03-12 17:02:49 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2018:0479 https://access.redhat.com/errata/RHSA-2018:0479

Comment 34 errata-xmlrpc 2018-03-12 17:23:08 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2018:0481 https://access.redhat.com/errata/RHSA-2018:0481

Comment 35 errata-xmlrpc 2018-03-22 08:09:13 UTC
This issue has been addressed in the following products:

  Red Hat Decision Manager

Via RHSA-2018:0576 https://access.redhat.com/errata/RHSA-2018:0576

Comment 36 errata-xmlrpc 2018-03-22 08:10:47 UTC
This issue has been addressed in the following products:

  Red Hat Business Automation

Via RHSA-2018:0577 https://access.redhat.com/errata/RHSA-2018:0577

Comment 37 errata-xmlrpc 2018-05-14 20:15:39 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2018:1447 https://access.redhat.com/errata/RHSA-2018:1447

Comment 38 errata-xmlrpc 2018-05-14 20:36:10 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2018:1448 https://access.redhat.com/errata/RHSA-2018:1448

Comment 39 errata-xmlrpc 2018-05-14 20:38:31 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2018:1449 https://access.redhat.com/errata/RHSA-2018:1449

Comment 40 errata-xmlrpc 2018-05-14 20:42:42 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5

Via RHSA-2018:1450 https://access.redhat.com/errata/RHSA-2018:1450

Comment 41 errata-xmlrpc 2018-05-14 20:50:27 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2018:1451 https://access.redhat.com/errata/RHSA-2018:1451

Comment 43 Bharti Kundal 2018-05-16 07:34:50 UTC
External References:

https://access.redhat.com/solutions/3442891

Comment 44 errata-xmlrpc 2018-10-16 15:20:00 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.4 for RHEL 7

Via RHSA-2018:2927 https://access.redhat.com/errata/RHSA-2018:2927

Comment 55 errata-xmlrpc 2019-09-27 00:13:37 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.1

Via RHSA-2019:2858 https://access.redhat.com/errata/RHSA-2019:2858

Comment 56 errata-xmlrpc 2019-10-18 19:52:19 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2019:3149 https://access.redhat.com/errata/RHSA-2019:3149


Note You need to log in before you can comment on or make changes to this bug.