Bug 1758167 (CVE-2019-17267) - CVE-2019-17267 jackson-databind: Serialization gadgets in classes of the ehcache package
Summary: CVE-2019-17267 jackson-databind: Serialization gadgets in classes of the ehca...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-17267
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1758168 1762564 1762566 1762567 1762568 1762569 1762570 1762571 1762572 1764111 1764112 1781719
Blocks: 1758169
TreeView+ depends on / blocked
 
Reported: 2019-10-03 13:14 UTC by Pedro Sampaio
Modified: 2023-09-26 13:25 UTC (History)
108 users (show)

Fixed In Version: jackson-databind 2.9.10, jackson-databind 2.10.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the ehcache gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
Clone Of:
Environment:
Last Closed: 2019-10-24 12:51:34 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:3200 0 None None None 2019-10-24 09:18:34 UTC
Red Hat Product Errata RHSA-2020:0159 0 None None None 2020-01-21 02:56:29 UTC
Red Hat Product Errata RHSA-2020:0160 0 None None None 2020-01-21 03:46:36 UTC
Red Hat Product Errata RHSA-2020:0161 0 None None None 2020-01-21 03:21:49 UTC
Red Hat Product Errata RHSA-2020:0164 0 None None None 2020-01-21 02:23:54 UTC
Red Hat Product Errata RHSA-2020:0445 0 None None None 2020-02-06 08:35:45 UTC
Red Hat Product Errata RHSA-2020:0895 0 None None None 2020-03-18 14:52:05 UTC
Red Hat Product Errata RHSA-2020:0899 0 None None None 2020-03-18 17:37:01 UTC
Red Hat Product Errata RHSA-2020:2067 0 None None None 2020-05-18 10:26:30 UTC
Red Hat Product Errata RHSA-2020:2321 0 None None None 2020-05-26 16:09:31 UTC
Red Hat Product Errata RHSA-2020:2333 0 None None None 2020-05-28 15:59:01 UTC
Red Hat Product Errata RHSA-2020:3192 0 None None None 2020-07-28 15:54:55 UTC

Description Pedro Sampaio 2019-10-03 13:14:34 UTC
A flaw was found in jackson-databind before 2.9.10. New serialization gadgets were found regarding a class of the ehcache package which may help in exploiting deserialization issues.

Upstream issue:

https://github.com/FasterXML/jackson-databind/issues/2460

Upstream patch:

https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2ddddb77edd895ee756b7f75eb

References:

https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

Comment 1 Pedro Sampaio 2019-10-03 13:14:57 UTC
Created jackson-databind tracking bugs for this issue:

Affects: fedora-all [bug 1758168]

Comment 4 Anten Skrabec 2019-10-16 21:58:05 UTC
Statement: Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.

Comment 9 errata-xmlrpc 2019-10-24 09:18:31 UTC
This issue has been addressed in the following products:

  Red Hat JBoss AMQ

Via RHSA-2019:3200 https://access.redhat.com/errata/RHSA-2019:3200

Comment 10 Product Security DevOps Team 2019-10-24 12:51:34 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-17267

Comment 11 Paramvir jindal 2019-11-19 11:44:16 UTC
Marking RHSSO as affected fix because the fix version seems to be
jackson-databind 2.9.10 and RHSSO 7.3.4 (latest as of today) ships
jackson-databind-2.9.9.3-redhat-00001.jar.

Comment 16 Kunjan Rathod 2019-12-06 00:54:40 UTC
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss BPMS 6
 * Red Hat JBoss Data Virtualization & Services 6


Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 21 errata-xmlrpc 2020-01-21 02:23:51 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:0164 https://access.redhat.com/errata/RHSA-2020:0164

Comment 22 errata-xmlrpc 2020-01-21 02:56:25 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6

Via RHSA-2020:0159 https://access.redhat.com/errata/RHSA-2020:0159

Comment 23 errata-xmlrpc 2020-01-21 03:21:46 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8

Via RHSA-2020:0161 https://access.redhat.com/errata/RHSA-2020:0161

Comment 24 errata-xmlrpc 2020-01-21 03:46:33 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7

Via RHSA-2020:0160 https://access.redhat.com/errata/RHSA-2020:0160

Comment 25 errata-xmlrpc 2020-02-06 08:35:32 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2020:0445 https://access.redhat.com/errata/RHSA-2020:0445

Comment 26 Jonathan Christison 2020-02-28 14:59:03 UTC
Mitigation:

The following conditions are needed for an exploit, we recommend avoiding all if possible
* Deserialization from sources you do not control
* `enableDefaultTyping()`
* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`

Comment 27 errata-xmlrpc 2020-03-18 14:51:59 UTC
This issue has been addressed in the following products:

  Red Hat Process Automation

Via RHSA-2020:0895 https://access.redhat.com/errata/RHSA-2020:0895

Comment 28 errata-xmlrpc 2020-03-18 17:36:56 UTC
This issue has been addressed in the following products:

  Red Hat Decision Manager

Via RHSA-2020:0899 https://access.redhat.com/errata/RHSA-2020:0899

Comment 31 errata-xmlrpc 2020-05-18 10:26:22 UTC
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2020:2067 https://access.redhat.com/errata/RHSA-2020:2067

Comment 32 errata-xmlrpc 2020-05-26 16:09:26 UTC
This issue has been addressed in the following products:

  Red Hat Data Grid 7.3.6

Via RHSA-2020:2321 https://access.redhat.com/errata/RHSA-2020:2321

Comment 33 errata-xmlrpc 2020-05-28 15:58:57 UTC
This issue has been addressed in the following products:

  EAP-CD 19 Tech Preview

Via RHSA-2020:2333 https://access.redhat.com/errata/RHSA-2020:2333

Comment 34 errata-xmlrpc 2020-07-28 15:54:50 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.7.0

Via RHSA-2020:3192 https://access.redhat.com/errata/RHSA-2020:3192

Comment 36 Jason Shepherd 2021-03-17 01:33:17 UTC
Statement:

Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.

Red Hat OpenShift Container Platform does ship the vulnerable component, but does not enable the unsafe conditions needed to exploit, lowering their vulnerability impact.


Note You need to log in before you can comment on or make changes to this bug.