A flaw was found in FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 which allows unauthenticated remote code execution due to an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist. References: https://github.com/FasterXML/jackson-databind/issues/1899 Patch: https://github.com/FasterXML/jackson-databind/commit/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05
Created jackson-databind tracking bugs for this issue: Affects: fedora-all [bug 1538333]
Reduced to moderate after internal discussions about ratings on flaws versus ratings per product. A moderate rating on the flaw will allow CVE pages and automated tools to better understand our impact rating of this flaw. We expect most products are not vulnerable because of their configuration. If you're making use of JAX-RS Webservices in JBoss EAP 7, or a layered product please check that the webservices are coded according to the advise in: https://access.redhat.com/solutions/3279231
https://access.redhat.com/security/cve/CVE-2018-5968 says that rh-eclipse46-jackson-databind is under investigation. Please, look at rh-eclipse47-jackson-databind as well.
Statement: JBoss EAP 7.x only uses the vulnerable Jackson Databind library for marshalling and unmarshalling of JSON objects passed to JAX-RS webservices. Some advice about how to remain safe when using JAX-RS webservices on JBoss EAP 7.x is available here: https://access.redhat.com/solutions/3279231 This issue affects the versions of jackson-databind (in Satellite 6.0 and 6.1) and candlepin (which embeds a copy of jackson-databind in Satellite 6.2) as shipped with Red Hat Satellitw 6.x. However the affected code is NOT used at this time: Candlepin currently uses the default type resolution configuration for the ObjectMappers it creates/uses. Nowhere in candlepin do we enable global polymorphic deserialization via enableDefaultTyping(...), therefore based on the documentation sited BZ 1462702 , candlepin should not be affected. However as the vulnerable software ships with the product we have marked them as vulnerable to ensure the issue is tracked. Red Hat Subscription Asset Manager version 1 is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having Important security impact and is not currently planned to be addressed in future updates.
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:0478 https://access.redhat.com/errata/RHSA-2018:0478
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Via RHSA-2018:0480 https://access.redhat.com/errata/RHSA-2018:0480
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2018:0479 https://access.redhat.com/errata/RHSA-2018:0479
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2018:0481 https://access.redhat.com/errata/RHSA-2018:0481
This issue has been addressed in the following products: Red Hat Virtualization 4 for RHEL-7 Via RHSA-2018:1525 https://access.redhat.com/errata/RHSA-2018:1525
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.1 Via RHSA-2019:2858 https://access.redhat.com/errata/RHSA-2019:2858
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2019:3149 https://access.redhat.com/errata/RHSA-2019:3149