1752962 – (CVE-2019-14439) CVE-2019-14439 jackson-databind: Polymorphic typing issue related to logback/JNDI

Bug 1752962 (CVE-2019-14439) - CVE-2019-14439 jackson-databind: Polymorphic typing issue related to logback/JNDI

Summary: CVE-2019-14439 jackson-databind: Polymorphic typing issue related to logback/...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-14439
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1752964 1760299 1762564 1762566 1762567 1762568 1762569 1762570 1762571 1762572 1781719
Blocks:	1752963
TreeView+	depends on / blocked

Reported:	2019-09-17 16:34 UTC by Pedro Sampaio
Modified:	2021-12-14 18:47 UTC (History)
CC List:	112 users (show)
Fixed In Version:	jackson-databind 2.9.10, jackson-databind 2.8.11.4, jackson-databind 2.7.9.6, jackson-databind 2.6.7.3
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the ehcache and logback JNDI gadgets when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
Clone Of:
Environment:
Last Closed:	2019-10-24 12:51:14 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2019:3200	0	None	None	None	2019-10-24 09:18:25 UTC
Red Hat Product Errata	RHSA-2020:0983	0	None	None	None	2020-03-26 15:48:48 UTC

Description Pedro Sampaio 2019-09-17 16:34:01 UTC

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.

Upstream issue:

https://github.com/FasterXML/jackson-databind/issues/2389

Upstream patch:

https://github.com/FasterXML/jackson-databind/commit/ad418eeb974e357f2797aef64aa0e3ffaaa6125b

References:

https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef@%3Cdev.struts.apache.org%3E

Comment 1 Pedro Sampaio 2019-09-17 16:37:13 UTC

Created jackson-databind tracking bugs for this issue:

Affects: fedora-all [bug 1752964]

Comment 5 Cedric Buissart 2019-09-23 10:11:45 UTC

Statement:

OpenDaylight provided as part of Red Hat OpenStack does not utilize logback when used in a supported configuration. Therefore, the prerequisites for this vulnerability are not present and OpenDaylight is not affected.

Satellite 6 does not enable polymorphic unmarshmalling, which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.

Comment 10 errata-xmlrpc 2019-10-24 09:18:21 UTC

This issue has been addressed in the following products:

  Red Hat JBoss AMQ

Via RHSA-2019:3200 https://access.redhat.com/errata/RHSA-2019:3200

Comment 11 Product Security DevOps Team 2019-10-24 12:51:14 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14439

Comment 12 Paramvir jindal 2019-11-19 11:01:21 UTC

Marking RHSSO as not affected because RHSSO 7.3.4 ships :
rhsso-7.3/modules/system/layers/base/.overlays/layer-base-rh-sso-7.3.4.CP/com/fasterxml/jackson/core/jackson-databind/main/jackson-databind-2.9.9.3-redhat-00001.jar

Affected version are FasterXML jackson-databind 2.x before 2.9.9.2

Comment 16 Kunjan Rathod 2019-12-06 01:40:21 UTC

This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss BPMS 6
 * Red Hat JBoss Data Virtualization & Services 6


Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 19 Jonathan Christison 2020-02-28 14:48:10 UTC

Mitigation:

The following conditions are needed for an exploit, we recommend avoiding all if possible
* Deserialization from sources you do not control
* `enableDefaultTyping()`
* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`

Comment 20 errata-xmlrpc 2020-03-26 15:48:42 UTC

This issue has been addressed in the following products:

  Red Hat Fuse 7.6.0

Via RHSA-2020:0983 https://access.redhat.com/errata/RHSA-2020:0983

Note You need to log in before you can comment on or make changes to this bug.

ahardin
aileenc
akoufoud
alazarot
almorale
anstephe
aos-bugs
ascheel
asoldano
atangrin
ataylor
avibelli
bbaranow
bbuckingham
bcourt
bgeorges
bkearney
bleanhar
bmaxwell
bmontgom
brian.stansberry
btotty
cbyrne
ccoleman
cdewolf
chazlett
cmacedo
darran.lofthouse
dbecker
decathorpe
dedgar
dffrench
dosoudil
drieden
drusso
eparis
etirelli
ganandan
ggaughan
hhorak
hhudgeon
ibek
iweiss
janstey
java-sig-commits
jawilson
jbalunas
jburrell
jcantril
jgoulding
jjoyce
jmadigan
jochrist
jokerman
jolee
jorton
jpallich
jperkins
jschatte
jschluet
jshepherd
jstastny
kbasil
krathod
kverlaen
kwills
lef
lgao
lhh
lpeer
lthon
lzap
mburns
mchappel
mkolesni
mmccune
mnovotny
msochure
msvehla
mszynkie
ngough
nstielau
nwallace
paradhya
pdrozd
pgallagh
pmackay
psotirop
puntogil
pwright
rchan
rguimara
rhcs-maint
rjerrido
rrajasek
rruss
rsvoboda
rsynek
sclewis
scohen
sdaley
slinaber
smaestri
sponnaga
stewardship-sig
sthorger
swoodman
tom.jenkinson
trepel
trogers
twalsh
vhalbert