Bug 1725795 (CVE-2019-12814) - CVE-2019-12814 jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server via crafted JSON message.
Summary: CVE-2019-12814 jackson-databind: polymorphic typing issue allows attacker to ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-12814
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1725796 1726928 1726929 1730588 1731780 1731787 1731789 1731790 1731792 1732286 1732291 1732539
Blocks: 1725811
TreeView+ depends on / blocked
 
Reported: 2019-07-01 13:15 UTC by msiddiqu
Modified: 2021-02-16 21:46 UTC (History)
103 users (show)

Fixed In Version: jackson-databind 2.9.9.1
Doc Type: If docs needed, set a value
Doc Text:
A new polymorphic typing flaw was discovered in FasterXML jackson-databind, versions 2.x through 2.9.9. With default typing enabled, an attacker can send a specifically crafted JSON message to the server that allows them to read arbitrary local files.
Clone Of:
Environment:
Last Closed: 2019-09-27 00:45:40 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2858 0 None None None 2019-09-27 00:14:30 UTC
Red Hat Product Errata RHSA-2019:2935 0 None None None 2019-09-30 22:53:51 UTC
Red Hat Product Errata RHSA-2019:2936 0 None None None 2019-09-30 22:55:57 UTC
Red Hat Product Errata RHSA-2019:2937 0 None None None 2019-09-30 22:51:37 UTC
Red Hat Product Errata RHSA-2019:2938 0 None None None 2019-09-30 22:58:10 UTC
Red Hat Product Errata RHSA-2019:3044 0 None None None 2019-10-14 18:28:46 UTC
Red Hat Product Errata RHSA-2019:3045 0 None None None 2019-10-14 18:29:06 UTC
Red Hat Product Errata RHSA-2019:3046 0 None None None 2019-10-14 18:29:26 UTC
Red Hat Product Errata RHSA-2019:3050 0 None None None 2019-10-14 18:59:31 UTC
Red Hat Product Errata RHSA-2019:3149 0 None None None 2019-10-18 19:53:11 UTC
Red Hat Product Errata RHSA-2019:3292 0 None None None 2019-10-31 17:27:04 UTC
Red Hat Product Errata RHSA-2019:3297 0 None None None 2019-10-31 19:10:11 UTC
Red Hat Product Errata RHSA-2020:0983 0 None None None 2020-03-26 15:47:47 UTC

Description msiddiqu 2019-07-01 13:15:45 UTC 
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.

Upstream issue: 

https://github.com/FasterXML/jackson-databind/issues/2341

Upstream patch: 

https://github.com/FasterXML/jackson-databind/commit/5f7c69bba07a7155adde130d9dee2e54a54f1fa5
Comment 1 msiddiqu 2019-07-01 13:16:05 UTC 
Created jackson-databind tracking bugs for this issue:

Affects: fedora-all [bug 1725796]
Comment 3 Doran Moppert 2019-07-04 05:54:24 UTC 
Mitigation:

This vulnerability relies on jdom (org.jdom) or jdom2 (org.jdom2) being present in the application's ClassPath.  Applications using jackson-databind that do not also use jdom or jdom2 are not impacted by this vulnerability.
Comment 5 Joshua Padman 2019-07-05 02:57:38 UTC 
OpenDaylight in Red Hat OpenStack 9 & 10 was released as Technical Preview and is not receiving fixes.
Comment 10 Summer Long 2019-07-10 06:05:37 UTC 
Statement:

* Red Hat Satellite 6 does not include the jdom or jdom2 packages, thus it is not affected by this vulnerability. 
* Red Hat OpenStack's OpenDaylight does not include the jdom or jdom2 packages, thus it is not affected by this vulnerability.
Comment 21 errata-xmlrpc 2019-09-27 00:14:25 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.1

Via RHSA-2019:2858 https://access.redhat.com/errata/RHSA-2019:2858
Comment 22 Product Security DevOps Team 2019-09-27 00:45:40 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-12814
Comment 23 errata-xmlrpc 2019-09-30 22:51:33 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8

Via RHSA-2019:2937 https://access.redhat.com/errata/RHSA-2019:2937
Comment 24 errata-xmlrpc 2019-09-30 22:53:48 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6

Via RHSA-2019:2935 https://access.redhat.com/errata/RHSA-2019:2935
Comment 25 errata-xmlrpc 2019-09-30 22:55:54 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7

Via RHSA-2019:2936 https://access.redhat.com/errata/RHSA-2019:2936
Comment 26 errata-xmlrpc 2019-09-30 22:58:07 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2019:2938 https://access.redhat.com/errata/RHSA-2019:2938
Comment 27 errata-xmlrpc 2019-10-14 18:28:42 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.3 for RHEL 6

Via RHSA-2019:3044 https://access.redhat.com/errata/RHSA-2019:3044
Comment 28 errata-xmlrpc 2019-10-14 18:29:02 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.3 for RHEL 7

Via RHSA-2019:3045 https://access.redhat.com/errata/RHSA-2019:3045
Comment 29 errata-xmlrpc 2019-10-14 18:29:22 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.3 for RHEL 8

Via RHSA-2019:3046 https://access.redhat.com/errata/RHSA-2019:3046
Comment 30 errata-xmlrpc 2019-10-14 18:59:26 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.3.4 zip

Via RHSA-2019:3050 https://access.redhat.com/errata/RHSA-2019:3050
Comment 31 errata-xmlrpc 2019-10-18 19:53:06 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2019:3149 https://access.redhat.com/errata/RHSA-2019:3149
Comment 32 errata-xmlrpc 2019-10-31 17:27:01 UTC 
This issue has been addressed in the following products:

  Red Hat Decision Manager

Via RHSA-2019:3292 https://access.redhat.com/errata/RHSA-2019:3292
Comment 33 errata-xmlrpc 2019-10-31 19:10:06 UTC 
This issue has been addressed in the following products:

  Red Hat Process Automation

Via RHSA-2019:3297 https://access.redhat.com/errata/RHSA-2019:3297
Comment 35 errata-xmlrpc 2020-03-26 15:47:42 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.6.0

Via RHSA-2020:0983 https://access.redhat.com/errata/RHSA-2020:0983
Note You need to log in before you can comment on or make changes to this bug.