Bug 1715075 (CVE-2019-10172) - CVE-2019-10172 jackson-mapper-asl: XML external entity similar to CVE-2016-3720
Summary: CVE-2019-10172 jackson-mapper-asl: XML external entity similar to CVE-2016-3720
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-10172
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1697692
TreeView+ depends on / blocked
 
Reported: 2019-05-29 14:04 UTC by Pedro Sampaio
Modified: 2021-03-04 13:33 UTC (History)
86 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries such that an XML external entity (XXE) vulnerability affects codehaus's jackson-mapper-asl libraries. This vulnerability is similar to CVE-2016-3720. The primary threat from this flaw is data integrity.
Clone Of:
Environment:
Last Closed: 2020-05-12 10:31:49 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:2058 0 None None None 2020-05-11 20:10:38 UTC
Red Hat Product Errata RHSA-2020:2059 0 None None None 2020-05-11 20:13:41 UTC
Red Hat Product Errata RHSA-2020:2060 0 None None None 2020-05-11 20:16:36 UTC
Red Hat Product Errata RHSA-2020:2061 0 None None None 2020-05-11 20:19:42 UTC
Red Hat Product Errata RHSA-2020:2112 0 None None None 2020-05-12 17:17:13 UTC
Red Hat Product Errata RHSA-2020:2511 0 None None None 2020-06-10 19:05:33 UTC
Red Hat Product Errata RHSA-2020:2512 0 None None None 2020-06-11 07:16:49 UTC
Red Hat Product Errata RHSA-2020:2513 0 None None None 2020-06-11 07:08:13 UTC
Red Hat Product Errata RHSA-2020:2515 0 None None None 2020-06-10 19:23:49 UTC
Red Hat Product Errata RHSA-2020:3192 0 None None None 2020-07-28 15:54:32 UTC
Red Hat Product Errata RHSA-2020:3585 0 None None None 2020-08-31 15:40:51 UTC
Red Hat Product Errata RHSA-2020:3779 0 None None None 2020-09-17 13:08:04 UTC

Description Pedro Sampaio 2019-05-29 14:04:56 UTC
A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.

References:

https://stackoverflow.com/questions/38017676/small-fix-for-cve-2016-3720-with-older-versions-of-jackson-all-1-9-11-and-in-ja/38017721

Comment 3 Jason Shepherd 2019-08-08 04:41:25 UTC
This vulnerability is out of security support scope for the following product:

 * Red Hat Mobile Application Platform

 Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details

Comment 4 Joshua Padman 2019-08-12 02:26:23 UTC
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss A-MQ 6
 * Red Hat JBoss Data Virtualization & Services 6
 * Red Hat JBoss Fuse Service Works 6
 * Red Hat JBoss Fuse 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 7 Marian Rehak 2019-11-18 14:50:23 UTC
Acknowledgments:

Name: Brian Stansberry (Red Hat)

Comment 8 Paramvir jindal 2019-11-19 09:04:10 UTC
RHSSO 7.3.3 ships :
rh-sso-7.3/modules/system/layers/base/org/codehaus/jackson/jackson-mapper-asl/main/jackson-mapper-asl-1.9.13.redhat-4.jar

Seems affected hence creating tracker for RHSSO.

Comment 16 Joshua Padman 2020-04-01 02:03:21 UTC
Statement:

Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.

Comment 17 errata-xmlrpc 2020-05-11 20:10:35 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6

Via RHSA-2020:2058 https://access.redhat.com/errata/RHSA-2020:2058

Comment 18 errata-xmlrpc 2020-05-11 20:13:38 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7

Via RHSA-2020:2059 https://access.redhat.com/errata/RHSA-2020:2059

Comment 19 errata-xmlrpc 2020-05-11 20:16:32 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8

Via RHSA-2020:2060 https://access.redhat.com/errata/RHSA-2020:2060

Comment 20 errata-xmlrpc 2020-05-11 20:19:38 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:2061 https://access.redhat.com/errata/RHSA-2020:2061

Comment 21 Product Security DevOps Team 2020-05-12 10:31:49 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10172

Comment 22 errata-xmlrpc 2020-05-12 17:17:09 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign On 7.3.8

Via RHSA-2020:2112 https://access.redhat.com/errata/RHSA-2020:2112

Comment 23 errata-xmlrpc 2020-06-10 19:05:29 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6

Via RHSA-2020:2511 https://access.redhat.com/errata/RHSA-2020:2511

Comment 24 errata-xmlrpc 2020-06-10 19:23:45 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:2515 https://access.redhat.com/errata/RHSA-2020:2515

Comment 25 errata-xmlrpc 2020-06-11 07:08:08 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8

Via RHSA-2020:2513 https://access.redhat.com/errata/RHSA-2020:2513

Comment 26 errata-xmlrpc 2020-06-11 07:16:44 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7

Via RHSA-2020:2512 https://access.redhat.com/errata/RHSA-2020:2512

Comment 27 errata-xmlrpc 2020-07-28 15:54:28 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.7.0

Via RHSA-2020:3192 https://access.redhat.com/errata/RHSA-2020:3192

Comment 28 errata-xmlrpc 2020-08-31 15:40:46 UTC
This issue has been addressed in the following products:

  EAP-CD 20 Tech Preview

Via RHSA-2020:3585 https://access.redhat.com/errata/RHSA-2020:3585

Comment 29 errata-xmlrpc 2020-09-17 13:07:59 UTC
This issue has been addressed in the following products:

  Red Hat Data Grid 7.3.7

Via RHSA-2020:3779 https://access.redhat.com/errata/RHSA-2020:3779


Note You need to log in before you can comment on or make changes to this bug.