Bug 1506612 - (CVE-2017-15095) CVE-2017-15095 jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525)
CVE-2017-15095 jackson-databind: Unsafe deserialization due to incomplete bla...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20171102,repo...
: Security
Depends On: 1506726 1507388 1507389 1507699 1507702 1515023 1527998 1527999 1506725 1507700 1507701 1507703 1508703 1510363
Blocks: 1503101
  Show dependency treegraph
 
Reported: 2017-10-26 08:52 EDT by Adam Mariš
Modified: 2018-02-22 04:21 EST (History)
93 users (show)

See Also:
Fixed In Version: jackson-databind 2.8.10, jackson-databind-2.9.2
Doc Type: If docs needed, set a value
Doc Text:
A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2017-10-26 08:52:37 EDT
An unsafe deserialization vulnerability was found due to incomplete blacklisting of the unsafe elements. This issue is incomplete fix for CVE-2017-7525.
Comment 1 Adam Mariš 2017-10-26 08:52:42 EDT
Acknowledgments:

Name: Liao Xinxi (NSFOCUS)
Comment 11 Doran Moppert 2017-11-01 21:20:35 EDT
Created jackson-databind tracking bugs for this issue:

Affects: fedora-all [bug 1508703]
Comment 13 Doran Moppert 2017-11-07 01:43:25 EST
Mitigation:

Mitigation to this problem is to not trigger polymorphic desrialization globally by using: objectMapper.enableDefaultTyping() and rather use @JsonTypeInfo on the class property to explicitly define the type information. For more information on this issue please refer to https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true
Comment 14 errata-xmlrpc 2017-11-12 23:25:09 EST
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2017:3189 https://access.redhat.com/errata/RHSA-2017:3189
Comment 15 errata-xmlrpc 2017-11-12 23:37:02 EST
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2017:3190 https://access.redhat.com/errata/RHSA-2017:3190
Comment 18 Kurt Seifried 2017-12-08 15:44:06 EST
Statement:

This issue affects the versions of jackson-databind (in Satellite 6.0 and 6.1) and candlepin (which embeds a copy of jackson-databind in Satellite 6.2) as shipped with Red Hat Satellitw 6.x. However the affected code is NOT used at this time:

Candlepin currently uses the default type resolution configuration for the ObjectMappers it creates/uses. Nowhere in candlepin do we enable global polymorphic deserialization via enableDefaultTyping(...), therefore based on the documentation sited BZ 1462702 , candlepin should not be affected.

However as the vulnerable software ships with the product we have marked them as vulnerable to ensure the issue is tracked.
Comment 21 Jason Shepherd 2017-12-13 20:08:32 EST
Statement:

EAP 7.x only uses the vulnerable Jackson Databind library for marshalling and unmarshalling of JSON objects passed to JAX-RS webservices. Some advise about how to remain safe when using JAX-RS webservices on EAP 7.x is available here: 

https://access.redhat.com/solutions/3279231
Comment 23 Jason Shepherd 2017-12-14 01:03:51 EST
Statement:

This issue affects the versions of jackson-databind (in Satellite 6.0 and 6.1) and candlepin (which embeds a copy of jackson-databind in Satellite 6.2) as shipped with Red Hat Satellite 6.x. However the affected code is NOT used at this time:

Candlepin currently uses the default type resolution configuration for the ObjectMappers it creates/uses. Nowhere in candlepin do we enable global polymorphic deserialization via enableDefaultTyping(...), therefore based on the documentation sited BZ 1462702 , candlepin should not be affected.

However as the vulnerable software ships with the product we have marked them as vulnerable to ensure the issue is tracked.

JBoss EAP 7.x only uses the vulnerable Jackson Databind library for marshalling and unmarshalling of JSON objects passed to JAX-RS webservices. Some advise about how to remain safe when using JAX-RS webservices on JBoss EAP 7.x is available here: 

https://access.redhat.com/solutions/3279231
Comment 30 errata-xmlrpc 2018-02-22 04:21:31 EST
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2018:0342 https://access.redhat.com/errata/RHSA-2018:0342

Note You need to log in before you can comment on or make changes to this bug.