Bug 1725807 (CVE-2019-12384) - CVE-2019-12384 jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution
Summary: CVE-2019-12384 jackson-databind: failure to block the logback-core class from...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-12384
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1725808 1726921 1726922 1726923 1726924 1726925 1726926 1730588 1731780 1731787 1731789 1731790 1731792 1732286 1732291 1732539
Blocks: 1725811
TreeView+ depends on / blocked
 
Reported: 2019-07-01 13:33 UTC by msiddiqu
Modified: 2020-04-03 11:41 UTC (History)
111 users (show)

Fixed In Version: jackson-databind 2.9.9.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was discovered in FasterXML jackson-databind in versions prior to 2.9.9. The vulnerability would permit polymorphic deserialization of malicious objects using the logback-core gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. Depending on the classpath content, remote code execution may be possible.
Clone Of:
Environment:
Last Closed: 2019-07-22 15:07:18 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:1820 None None None 2019-07-22 13:33:52 UTC
Red Hat Product Errata RHSA-2019:2720 None None None 2019-09-11 09:34:05 UTC
Red Hat Product Errata RHSA-2019:2858 None None None 2019-09-27 00:14:31 UTC
Red Hat Product Errata RHSA-2019:2935 None None None 2019-09-30 22:53:57 UTC
Red Hat Product Errata RHSA-2019:2936 None None None 2019-09-30 22:56:01 UTC
Red Hat Product Errata RHSA-2019:2937 None None None 2019-09-30 22:51:40 UTC
Red Hat Product Errata RHSA-2019:2938 None None None 2019-09-30 22:58:15 UTC
Red Hat Product Errata RHSA-2019:2998 None None None 2019-10-10 09:54:52 UTC
Red Hat Product Errata RHSA-2019:3149 None None None 2019-10-18 19:53:17 UTC
Red Hat Product Errata RHSA-2019:3292 None None None 2019-10-31 17:27:05 UTC
Red Hat Product Errata RHSA-2019:3297 None None None 2019-10-31 19:10:12 UTC
Red Hat Product Errata RHSA-2019:3901 None None None 2019-11-18 14:41:05 UTC
Red Hat Product Errata RHSA-2019:4352 None None None 2019-12-19 17:38:08 UTC
Red Hat Product Errata RHSA-2020:0983 None None None 2020-03-26 15:47:49 UTC

Description msiddiqu 2019-07-01 13:33:36 UTC
FasterXML jackson-databind 2.x before 2.9.9 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.

Upstream issue: 

https://github.com/FasterXML/jackson-databind/issues/2334

Upstream patch:

https://github.com/FasterXML/jackson-databind/commit/c9ef4a10d6f6633cf470d6a469514b68fa2be234

References:  

https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html

Comment 1 msiddiqu 2019-07-01 13:35:21 UTC
Created jackson-databind tracking bugs for this issue:

Affects: fedora-all [bug 1725808]

Comment 4 Joshua Padman 2019-07-05 02:57:42 UTC
OpenDaylight in Red Hat OpenStack 9 & 10 was released as Technical Preview and is not receiving fixes.

Comment 7 Joshua Padman 2019-07-07 09:24:49 UTC
OpenDaylight is not configured to use logback and does not contain the vulnerable classes in the classpath

Comment 17 errata-xmlrpc 2019-07-22 13:33:49 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:1820 https://access.redhat.com/errata/RHSA-2019:1820

Comment 18 Product Security DevOps Team 2019-07-22 15:07:18 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-12384

Comment 24 errata-xmlrpc 2019-09-11 09:34:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2720 https://access.redhat.com/errata/RHSA-2019:2720

Comment 27 errata-xmlrpc 2019-09-27 00:14:28 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.1

Via RHSA-2019:2858 https://access.redhat.com/errata/RHSA-2019:2858

Comment 28 errata-xmlrpc 2019-09-30 22:51:37 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8

Via RHSA-2019:2937 https://access.redhat.com/errata/RHSA-2019:2937

Comment 29 errata-xmlrpc 2019-09-30 22:53:54 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6

Via RHSA-2019:2935 https://access.redhat.com/errata/RHSA-2019:2935

Comment 30 errata-xmlrpc 2019-09-30 22:55:58 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7

Via RHSA-2019:2936 https://access.redhat.com/errata/RHSA-2019:2936

Comment 31 errata-xmlrpc 2019-09-30 22:58:11 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2019:2938 https://access.redhat.com/errata/RHSA-2019:2938

Comment 33 errata-xmlrpc 2019-10-10 09:54:48 UTC
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2019:2998 https://access.redhat.com/errata/RHSA-2019:2998

Comment 35 Kunjan Rathod 2019-10-15 14:18:44 UTC
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss BPM Suite 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 36 errata-xmlrpc 2019-10-18 19:53:12 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2019:3149 https://access.redhat.com/errata/RHSA-2019:3149

Comment 37 errata-xmlrpc 2019-10-31 17:27:02 UTC
This issue has been addressed in the following products:

  Red Hat Decision Manager

Via RHSA-2019:3292 https://access.redhat.com/errata/RHSA-2019:3292

Comment 38 errata-xmlrpc 2019-10-31 19:10:08 UTC
This issue has been addressed in the following products:

  Red Hat Process Automation

Via RHSA-2019:3297 https://access.redhat.com/errata/RHSA-2019:3297

Comment 39 errata-xmlrpc 2019-11-18 14:41:00 UTC
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes Vert.x 3.8.3

Via RHSA-2019:3901 https://access.redhat.com/errata/RHSA-2019:3901

Comment 40 errata-xmlrpc 2019-12-19 17:38:04 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 6.3

Via RHSA-2019:4352 https://access.redhat.com/errata/RHSA-2019:4352

Comment 43 Eric Christensen 2020-03-02 21:18:24 UTC
Statement:

Red Hat OpenStack's OpenDaylight does not use logback in any supported configuration. Therefore, the prerequisites for this vulnerability are not present and OpenDaylight is not affected.

This vulnerability relies on logback-core (ch.qos.logback.core) being present in the application's ClassPath. Logback-core is not packaged as an RPM for Red Hat Enterprise Linux or Red Hat Software Collections. Applications using jackson-databind that do not also use logback-core are not impacted by this vulnerability.

This issue affects the versions of jackson-databind bundled with candlepin as shipped with Red Hat Satellite 6.x. However the affected code is NOT used at this time.

Comment 44 Eric Christensen 2020-03-02 21:18:29 UTC
Mitigation:

The following conditions are needed for an exploit, we recommend avoiding all if possible:
* Deserialization from sources you do not control
* `enableDefaultTyping()`
* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`

Comment 45 errata-xmlrpc 2020-03-26 15:47:44 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.6.0

Via RHSA-2020:0983 https://access.redhat.com/errata/RHSA-2020:0983


Note You need to log in before you can comment on or make changes to this bug.