Red Hat Bugzilla – Bug 1506612
CVE-2017-15095 jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525)
Last modified: 2018-10-19 17:44:12 EDT
An unsafe deserialization vulnerability was found due to incomplete blacklisting of the unsafe elements. This issue is incomplete fix for CVE-2017-7525.
Acknowledgments: Name: Liao Xinxi (NSFOCUS)
Other distributions may have made the same mistake, since the original upstream ticket was closed before additional names were added to the blacklist. Original ticket + patches (CVE-2017-7525): https://github.com/FasterXML/jackson-databind/issues/1599 https://github.com/FasterXML/jackson-databind/commit/60d459ce https://github.com/FasterXML/jackson-databind/commit/3bfbb835 Further tickets and patches to block more dangerous types (I think these are all): https://github.com/FasterXML/jackson-databind/issues/1680 https://github.com/FasterXML/jackson-databind/issues/1723 https://github.com/FasterXML/jackson-databind/issues/1737 https://github.com/FasterXML/jackson-databind/commit/e8f043d1 https://github.com/FasterXML/jackson-databind/commit/ddfddfba This CVE-2017-15095 should be considered to include everything in NO_DESER_CLASS_NAMES as of today: https://github.com/FasterXML/jackson-databind/blob/7093008aa2afe8068e120df850189ae072dfa1b2/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java#L43
Created jackson-databind tracking bugs for this issue: Affects: fedora-all [bug 1508703]
Mitigation: Mitigation to this problem is to not trigger polymorphic desrialization globally by using: objectMapper.enableDefaultTyping() and rather use @JsonTypeInfo on the class property to explicitly define the type information. For more information on this issue please refer to https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true
This issue has been addressed in the following products: Red Hat Developer Tools Via RHSA-2017:3189 https://access.redhat.com/errata/RHSA-2017:3189
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Via RHSA-2017:3190 https://access.redhat.com/errata/RHSA-2017:3190
Statement: This issue affects the versions of jackson-databind (in Satellite 6.0 and 6.1) and candlepin (which embeds a copy of jackson-databind in Satellite 6.2) as shipped with Red Hat Satellite 6.x. However the affected code is NOT used at this time: Candlepin currently uses the default type resolution configuration for the ObjectMappers it creates/uses. Nowhere in candlepin do we enable global polymorphic deserialization via enableDefaultTyping(...), therefore based on the documentation sited BZ 1462702 , candlepin should not be affected. However as the vulnerable software ships with the product we have marked them as vulnerable to ensure the issue is tracked. JBoss EAP 7.x only uses the vulnerable Jackson Databind library for marshalling and unmarshalling of JSON objects passed to JAX-RS webservices. Some advise about how to remain safe when using JAX-RS webservices on JBoss EAP 7.x is available here: https://access.redhat.com/solutions/3279231
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Via RHSA-2018:0342 https://access.redhat.com/errata/RHSA-2018:0342
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:0478 https://access.redhat.com/errata/RHSA-2018:0478
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Via RHSA-2018:0480 https://access.redhat.com/errata/RHSA-2018:0480
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2018:0479 https://access.redhat.com/errata/RHSA-2018:0479
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2018:0481 https://access.redhat.com/errata/RHSA-2018:0481
This issue has been addressed in the following products: Red Hat Decision Manager Via RHSA-2018:0576 https://access.redhat.com/errata/RHSA-2018:0576
This issue has been addressed in the following products: Red Hat Business Automation Via RHSA-2018:0577 https://access.redhat.com/errata/RHSA-2018:0577
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:1447 https://access.redhat.com/errata/RHSA-2018:1447
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2018:1448 https://access.redhat.com/errata/RHSA-2018:1448
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2018:1449 https://access.redhat.com/errata/RHSA-2018:1449
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Via RHSA-2018:1450 https://access.redhat.com/errata/RHSA-2018:1450
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2018:1451 https://access.redhat.com/errata/RHSA-2018:1451
External References: https://access.redhat.com/solutions/3442891
This issue has been addressed in the following products: Red Hat Satellite 6.4 for RHEL 7 Via RHSA-2018:2927 https://access.redhat.com/errata/RHSA-2018:2927