A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 220.127.116.11. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.
Created jackson-databind tracking bugs for this issue:
Affects: fedora-all [bug 1752964]
OpenDaylight provided as part of Red Hat OpenStack does not utilize logback when used in a supported configuration. Therefore, the prerequisites for this vulnerability are not present and OpenDaylight is not affected.
Satellite 6 does not enable polymorphic unmarshmalling, which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.
This issue has been addressed in the following products:
Red Hat JBoss AMQ
Via RHSA-2019:3200 https://access.redhat.com/errata/RHSA-2019:3200
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):