Bug 1755849 (CVE-2019-14540) - CVE-2019-14540 jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig
Summary: CVE-2019-14540 jackson-databind: Serialization gadgets in com.zaxxer.hikari.H...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-14540
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1755850 1760274 1760275 1762564 1762566 1762567 1762568 1762569 1762570 1762571 1762572 1781719
Blocks: 1755851
TreeView+ depends on / blocked
 
Reported: 2019-09-26 10:45 UTC by Dhananjay Arunesh
Modified: 2021-12-14 18:47 UTC (History)
113 users (show)

Fixed In Version: jackson-databind 2.9.10
Clone Of:
Environment:
Last Closed: 2019-10-24 12:51:27 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:3200 0 None None None 2019-10-24 09:18:26 UTC
Red Hat Product Errata RHSA-2020:0159 0 None None None 2020-01-21 02:56:20 UTC
Red Hat Product Errata RHSA-2020:0160 0 None None None 2020-01-21 03:46:29 UTC
Red Hat Product Errata RHSA-2020:0161 0 None None None 2020-01-21 03:21:42 UTC
Red Hat Product Errata RHSA-2020:0164 0 None None None 2020-01-21 02:23:50 UTC
Red Hat Product Errata RHSA-2020:0445 0 None None None 2020-02-06 08:35:30 UTC
Red Hat Product Errata RHSA-2020:0895 0 None None None 2020-03-18 14:52:05 UTC
Red Hat Product Errata RHSA-2020:0899 0 None None None 2020-03-18 17:38:19 UTC
Red Hat Product Errata RHSA-2020:1644 0 None None None 2020-04-28 15:34:37 UTC
Red Hat Product Errata RHSA-2020:2067 0 None None None 2020-05-18 10:26:27 UTC
Red Hat Product Errata RHSA-2020:2321 0 None None None 2020-05-26 16:09:28 UTC
Red Hat Product Errata RHSA-2020:2333 0 None None None 2020-05-28 15:59:00 UTC
Red Hat Product Errata RHSA-2020:3192 0 None None None 2020-07-28 15:54:56 UTC

Description Dhananjay Arunesh 2019-09-26 10:45:55 UTC 
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.

Reference:
https://github.com/FasterXML/jackson-databind/blob/master/release-notes/VERSION-2.x
https://github.com/FasterXML/jackson-databind/issues/2410
https://github.com/FasterXML/jackson-databind/issues/2449
https://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69@%3Ccommits.tinkerpop.apache.org%3E
https://lists.apache.org/thread.html/40c00861b53bb611dee7d6f35f864aa7d1c1bd77df28db597cbf27e1@%3Cissues.hbase.apache.org%3E
https://lists.apache.org/thread.html/a4f2c9fb36642a48912cdec6836ec00e497427717c5d377f8d7ccce6@%3Cnotifications.zookeeper.apache.org%3E
Comment 1 Dhananjay Arunesh 2019-09-26 10:46:18 UTC 
Created jackson-databind tracking bugs for this issue:

Affects: fedora-all [bug 1755850]
Comment 5 Doran Moppert 2019-10-10 03:41:32 UTC 
Mitigation:

This vulnerability relies on com.zaxxer.hikari.HikariConfig being present in the application's ClassPath. Hikari is not packaged as an RPM for Red Hat Enterprise Linux or Red Hat Software Collections. Applications using jackson-databind that do not also use com.zaxxer.hikari are not impacted by this vulnerability.

A mitigation to this class of problem in jackson-databind is to not trigger polymorphic desrialization globally by using: objectMapper.enableDefaultTyping() and rather use @JsonTypeInfo on the class property to explicitly define the type information. For more information on this issue please refer to https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true
Comment 6 Riccardo Schirone 2019-10-10 10:03:31 UTC 
Upstream patch:
https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de
Comment 8 Cedric Buissart 2019-10-10 11:18:47 UTC 
Statement:

Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.

Satellite 6 does not enable polymorphic unmarshmalling, which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.
Comment 12 errata-xmlrpc 2019-10-24 09:18:22 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss AMQ

Via RHSA-2019:3200 https://access.redhat.com/errata/RHSA-2019:3200
Comment 13 Product Security DevOps Team 2019-10-24 12:51:27 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14540
Comment 14 Paramvir jindal 2019-11-19 11:38:55 UTC 
Marking RHSSO as affected fix because the fix version seems to be jackson-databind 2.9.10 and RHSSO 7.3.4 (latest as of today) ships jackson-databind-2.9.9.3-redhat-00001.jar.
Comment 19 Kunjan Rathod 2019-12-06 01:07:24 UTC 
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss BPMS 6
 * Red Hat JBoss Data Virtualization & Services 6


Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 24 errata-xmlrpc 2020-01-21 02:23:46 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:0164 https://access.redhat.com/errata/RHSA-2020:0164
Comment 25 errata-xmlrpc 2020-01-21 02:56:17 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6

Via RHSA-2020:0159 https://access.redhat.com/errata/RHSA-2020:0159
Comment 26 errata-xmlrpc 2020-01-21 03:21:38 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8

Via RHSA-2020:0161 https://access.redhat.com/errata/RHSA-2020:0161
Comment 27 errata-xmlrpc 2020-01-21 03:46:25 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7

Via RHSA-2020:0160 https://access.redhat.com/errata/RHSA-2020:0160
Comment 28 errata-xmlrpc 2020-02-06 08:35:16 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2020:0445 https://access.redhat.com/errata/RHSA-2020:0445
Comment 29 errata-xmlrpc 2020-03-18 14:51:58 UTC 
This issue has been addressed in the following products:

  Red Hat Process Automation

Via RHSA-2020:0895 https://access.redhat.com/errata/RHSA-2020:0895
Comment 30 errata-xmlrpc 2020-03-18 17:38:12 UTC 
This issue has been addressed in the following products:

  Red Hat Decision Manager

Via RHSA-2020:0899 https://access.redhat.com/errata/RHSA-2020:0899
Comment 31 errata-xmlrpc 2020-04-28 15:34:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1644 https://access.redhat.com/errata/RHSA-2020:1644
Comment 33 errata-xmlrpc 2020-05-18 10:26:17 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2020:2067 https://access.redhat.com/errata/RHSA-2020:2067
Comment 34 errata-xmlrpc 2020-05-26 16:09:23 UTC 
This issue has been addressed in the following products:

  Red Hat Data Grid 7.3.6

Via RHSA-2020:2321 https://access.redhat.com/errata/RHSA-2020:2321
Comment 35 errata-xmlrpc 2020-05-28 15:58:56 UTC 
This issue has been addressed in the following products:

  EAP-CD 19 Tech Preview

Via RHSA-2020:2333 https://access.redhat.com/errata/RHSA-2020:2333
Comment 36 errata-xmlrpc 2020-07-28 15:54:50 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.7.0

Via RHSA-2020:3192 https://access.redhat.com/errata/RHSA-2020:3192
Note You need to log in before you can comment on or make changes to this bug.