Red Hat Bugzilla – Bug 1549276
CVE-2018-7489 jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries
Last modified: 2018-11-02 11:33:07 EDT
FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath. Upstream issue: https://github.com/FasterXML/jackson-databind/issues/1931 Upstream patch: https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2
Created jackson-databind tracking bugs for this issue: Affects: fedora-all [bug 1549279]
Mitigation: Advice on how to remain safe while using JAX-RS webservices on JBoss EAP 7.x is available here: https://access.redhat.com/solutions/3279231 https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization
RHMAP does not using RESTEasy in a unsafe way. Marking as not affected.
RHOAR VertX uses c3p0 and jackson-databind 2.9.3, so is affected by this flaw. Filing a tracking bug which will target the 3.5.1 release.
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:1447 https://access.redhat.com/errata/RHSA-2018:1447
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2018:1448 https://access.redhat.com/errata/RHSA-2018:1448
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2018:1449 https://access.redhat.com/errata/RHSA-2018:1449
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Via RHSA-2018:1450 https://access.redhat.com/errata/RHSA-2018:1450
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2018:1451 https://access.redhat.com/errata/RHSA-2018:1451
External References: https://access.redhat.com/solutions/3442891
This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2018:1786 https://access.redhat.com/errata/RHSA-2018:1786
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:2088 https://access.redhat.com/errata/RHSA-2018:2088
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2018:2090 https://access.redhat.com/errata/RHSA-2018:2090
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Via RHSA-2018:2089 https://access.redhat.com/errata/RHSA-2018:2089
This issue has been addressed in the following products: Red Hat Openshift Application Runtimes (text-only advisories) Via RHSA-2018:2938 https://access.redhat.com/errata/RHSA-2018:2938
This issue has been addressed in the following products: Red Hat Fuse Intergration Services 2.0 based on Fuse 6.3 R8 Via RHSA-2018:2939 https://access.redhat.com/errata/RHSA-2018:2939
Statement: Subscription Asset Manager is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having a security impact of Important, and is not currently planned to be addressed in future updates. Satellite 6.2 does not support c3p0 classes. Since the latter are required for this flaw, therefore Satellite 6.2 is not affected. Satellite 6.3 and 6.4 are not affected because Candlepin does not use polymorphic deserialization.