Bug 1725795 (CVE-2019-12814) - CVE-2019-12814 jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server via crafted JSON message.
Summary: CVE-2019-12814 jackson-databind: polymorphic typing issue allows attacker to ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-12814
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1725796 1726928 1726929 1730588 1731780 1731787 1731789 1731790 1731792 1732286 1732291 1732539
Blocks: 1725811
TreeView+ depends on / blocked
 
Reported: 2019-07-01 13:15 UTC by msiddiqu
Modified: 2020-09-17 15:03 UTC (History)
103 users (show)

Fixed In Version: jackson-databind 2.9.9.1
Doc Type: If docs needed, set a value
Doc Text:
A new polymorphic typing flaw was discovered in FasterXML jackson-databind, versions 2.x through 2.9.9. With default typing enabled, an attacker can send a specifically crafted JSON message to the server that allows them to read arbitrary local files.
Clone Of:
Environment:
Last Closed: 2019-09-27 00:45:40 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2858 None None None 2019-09-27 00:14:30 UTC
Red Hat Product Errata RHSA-2019:2935 None None None 2019-09-30 22:53:51 UTC
Red Hat Product Errata RHSA-2019:2936 None None None 2019-09-30 22:55:57 UTC
Red Hat Product Errata RHSA-2019:2937 None None None 2019-09-30 22:51:37 UTC
Red Hat Product Errata RHSA-2019:2938 None None None 2019-09-30 22:58:10 UTC
Red Hat Product Errata RHSA-2019:3044 None None None 2019-10-14 18:28:46 UTC
Red Hat Product Errata RHSA-2019:3045 None None None 2019-10-14 18:29:06 UTC
Red Hat Product Errata RHSA-2019:3046 None None None 2019-10-14 18:29:26 UTC
Red Hat Product Errata RHSA-2019:3050 None None None 2019-10-14 18:59:31 UTC
Red Hat Product Errata RHSA-2019:3149 None None None 2019-10-18 19:53:11 UTC
Red Hat Product Errata RHSA-2019:3292 None None None 2019-10-31 17:27:04 UTC
Red Hat Product Errata RHSA-2019:3297 None None None 2019-10-31 19:10:11 UTC
Red Hat Product Errata RHSA-2020:0983 None None None 2020-03-26 15:47:47 UTC

Description msiddiqu 2019-07-01 13:15:45 UTC
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.

Upstream issue: 

https://github.com/FasterXML/jackson-databind/issues/2341

Upstream patch: 

https://github.com/FasterXML/jackson-databind/commit/5f7c69bba07a7155adde130d9dee2e54a54f1fa5

Comment 1 msiddiqu 2019-07-01 13:16:05 UTC
Created jackson-databind tracking bugs for this issue:

Affects: fedora-all [bug 1725796]

Comment 3 Doran Moppert 2019-07-04 05:54:24 UTC
Mitigation:

This vulnerability relies on jdom (org.jdom) or jdom2 (org.jdom2) being present in the application's ClassPath.  Applications using jackson-databind that do not also use jdom or jdom2 are not impacted by this vulnerability.

Comment 5 Joshua Padman 2019-07-05 02:57:38 UTC
OpenDaylight in Red Hat OpenStack 9 & 10 was released as Technical Preview and is not receiving fixes.

Comment 10 Summer Long 2019-07-10 06:05:37 UTC
Statement:

* Red Hat Satellite 6 does not include the jdom or jdom2 packages, thus it is not affected by this vulnerability. 
* Red Hat OpenStack's OpenDaylight does not include the jdom or jdom2 packages, thus it is not affected by this vulnerability.

Comment 21 errata-xmlrpc 2019-09-27 00:14:25 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.1

Via RHSA-2019:2858 https://access.redhat.com/errata/RHSA-2019:2858

Comment 22 Product Security DevOps Team 2019-09-27 00:45:40 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-12814

Comment 23 errata-xmlrpc 2019-09-30 22:51:33 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8

Via RHSA-2019:2937 https://access.redhat.com/errata/RHSA-2019:2937

Comment 24 errata-xmlrpc 2019-09-30 22:53:48 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6

Via RHSA-2019:2935 https://access.redhat.com/errata/RHSA-2019:2935

Comment 25 errata-xmlrpc 2019-09-30 22:55:54 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7

Via RHSA-2019:2936 https://access.redhat.com/errata/RHSA-2019:2936

Comment 26 errata-xmlrpc 2019-09-30 22:58:07 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2019:2938 https://access.redhat.com/errata/RHSA-2019:2938

Comment 27 errata-xmlrpc 2019-10-14 18:28:42 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.3 for RHEL 6

Via RHSA-2019:3044 https://access.redhat.com/errata/RHSA-2019:3044

Comment 28 errata-xmlrpc 2019-10-14 18:29:02 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.3 for RHEL 7

Via RHSA-2019:3045 https://access.redhat.com/errata/RHSA-2019:3045

Comment 29 errata-xmlrpc 2019-10-14 18:29:22 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.3 for RHEL 8

Via RHSA-2019:3046 https://access.redhat.com/errata/RHSA-2019:3046

Comment 30 errata-xmlrpc 2019-10-14 18:59:26 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.3.4 zip

Via RHSA-2019:3050 https://access.redhat.com/errata/RHSA-2019:3050

Comment 31 errata-xmlrpc 2019-10-18 19:53:06 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2019:3149 https://access.redhat.com/errata/RHSA-2019:3149

Comment 32 errata-xmlrpc 2019-10-31 17:27:01 UTC
This issue has been addressed in the following products:

  Red Hat Decision Manager

Via RHSA-2019:3292 https://access.redhat.com/errata/RHSA-2019:3292

Comment 33 errata-xmlrpc 2019-10-31 19:10:06 UTC
This issue has been addressed in the following products:

  Red Hat Process Automation

Via RHSA-2019:3297 https://access.redhat.com/errata/RHSA-2019:3297

Comment 35 errata-xmlrpc 2020-03-26 15:47:42 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.6.0

Via RHSA-2020:0983 https://access.redhat.com/errata/RHSA-2020:0983


Note You need to log in before you can comment on or make changes to this bug.