Bug 1538332 (CVE-2018-5968) - CVE-2018-5968 jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and CVE-2017-17485)
Summary: CVE-2018-5968 jackson-databind: unsafe deserialization due to incomplete blac...
Status: NEW
Alias: CVE-2018-5968
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20180118,repor...
Keywords: Security
Depends On: 1538395 1551372 1538333 1539162 1539163 1551370 1551371 1565285
Blocks: 1538335
TreeView+ depends on / blocked
 
Reported: 2018-01-24 20:31 UTC by Laura Pardo
Modified: 2019-04-10 11:22 UTC (History)
77 users (show)

Fixed In Version: jackson-databind-2.9.4
Doc Type: If docs needed, set a value
Doc Text:
A deserialization flaw was discovered in the jackson-databind that could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaws CVE-2017-7525 and CVE-2017-17485 by blacklisting more classes that could be used maliciously.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:0478 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 7.1.1 security update 2018-03-12 20:37:39 UTC
Red Hat Product Errata RHSA-2018:0479 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 7.1.1 on RHEL 6 2018-03-12 21:04:50 UTC
Red Hat Product Errata RHSA-2018:0480 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 7.1.1 for RHEL 7 2018-03-12 21:03:31 UTC
Red Hat Product Errata RHSA-2018:0481 normal SHIPPED_LIVE Important: jboss-ec2-eap package for EAP 7.1.1 2018-03-12 21:31:33 UTC
Red Hat Product Errata RHSA-2018:1525 None None None 2018-05-15 18:59 UTC

Description Laura Pardo 2018-01-24 20:31:59 UTC
A flaw was found in FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 which allows unauthenticated remote code execution due to an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.

References:
https://github.com/FasterXML/jackson-databind/issues/1899

Patch:
https://github.com/FasterXML/jackson-databind/commit/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05

Comment 1 Laura Pardo 2018-01-24 20:32:36 UTC
Created jackson-databind tracking bugs for this issue:

Affects: fedora-all [bug 1538333]

Comment 9 Jason Shepherd 2018-01-29 00:05:15 UTC
Reduced to moderate after internal discussions about ratings on flaws versus ratings per product. A moderate rating on the flaw will allow CVE pages and automated tools to better understand our impact rating of this flaw.

We expect most products are not vulnerable because of their configuration. If you're making use of JAX-RS Webservices in JBoss EAP 7, or a layered product please check that the webservices are coded according to the advise in:

  https://access.redhat.com/solutions/3279231

Comment 10 Václav Kadlčík 2018-01-30 14:30:28 UTC
https://access.redhat.com/security/cve/CVE-2018-5968 says
that rh-eclipse46-jackson-databind is under investigation.
Please, look at rh-eclipse47-jackson-databind as well.

Comment 11 Doran Moppert 2018-02-16 05:02:30 UTC
Statement:

JBoss EAP 7.x only uses the vulnerable Jackson Databind library for marshalling and unmarshalling of JSON objects passed to JAX-RS webservices. Some advice about how to remain safe when using JAX-RS webservices on JBoss EAP 7.x is available here: 

https://access.redhat.com/solutions/3279231

This issue affects the versions of jackson-databind (in Satellite 6.0 and 6.1) and candlepin (which embeds a copy of jackson-databind in Satellite 6.2) as shipped with Red Hat Satellitw 6.x. However the affected code is NOT used at this time:

Candlepin currently uses the default type resolution configuration for the ObjectMappers it creates/uses. Nowhere in candlepin do we enable global polymorphic deserialization via enableDefaultTyping(...), therefore based on the documentation sited BZ 1462702 , candlepin should not be affected.

However as the vulnerable software ships with the product we have marked them as vulnerable to ensure the issue is tracked.

Red Hat Subscription Asset Manager version 1 is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having Important security impact and is not currently planned to be addressed in future updates.

Comment 15 errata-xmlrpc 2018-03-12 16:38:01 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2018:0478 https://access.redhat.com/errata/RHSA-2018:0478

Comment 16 errata-xmlrpc 2018-03-12 17:01:14 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7

Via RHSA-2018:0480 https://access.redhat.com/errata/RHSA-2018:0480

Comment 17 errata-xmlrpc 2018-03-12 17:03:39 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2018:0479 https://access.redhat.com/errata/RHSA-2018:0479

Comment 18 errata-xmlrpc 2018-03-12 17:24:17 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2018:0481 https://access.redhat.com/errata/RHSA-2018:0481

Comment 22 errata-xmlrpc 2018-05-15 18:58:36 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for RHEL-7

Via RHSA-2018:1525 https://access.redhat.com/errata/RHSA-2018:1525


Note You need to log in before you can comment on or make changes to this bug.