1793154 – (CVE-2019-20330) CVE-2019-20330 jackson-databind: lacks certain net.sf.ehcache blocking

Bug 1793154 (CVE-2019-20330) - CVE-2019-20330 jackson-databind: lacks certain net.sf.ehcache blocking

Summary: CVE-2019-20330 jackson-databind: lacks certain net.sf.ehcache blocking

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-20330
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1793804 1793805 1793806 1793807 1793808 1807027 1807028 1807029 1809055 1809056
Blocks:	1793167
TreeView+	depends on / blocked

Reported:	2020-01-20 20:02 UTC by Guilherme de Almeida Suckevicz
Modified:	2021-12-14 18:47 UTC (History)
CC List:	95 users (show)
Fixed In Version:	jackson-databind-2.9.10.2
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the ehcache gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
Clone Of:
Environment:
Last Closed:	2020-03-23 16:32:03 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:0939	None	None	None	2020-03-23 13:21:08 UTC
Red Hat Product Errata	RHSA-2020:0951	None	None	None	2020-03-23 20:14:05 UTC
Red Hat Product Errata	RHSA-2020:2067	None	None	None	2020-05-18 10:27:41 UTC
Red Hat Product Errata	RHSA-2020:2333	None	None	None	2020-05-28 15:59:44 UTC
Red Hat Product Errata	RHSA-2020:3192	None	None	None	2020-07-28 15:55:49 UTC
Red Hat Product Errata	RHSA-2020:3196	None	None	None	2020-07-29 06:07:32 UTC
Red Hat Product Errata	RHSA-2020:3197	None	None	None	2020-07-29 06:22:44 UTC

Description Guilherme de Almeida Suckevicz 2020-01-20 20:02:19 UTC

FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.

References:
https://github.com/FasterXML/jackson-databind/issues/2526

Comment 1 Fabio Valentini 2020-01-20 22:48:45 UTC

fedora seems to be not affected by this, as we have jackson-databind 2.10.1 in fedora 30, 31, and rawhide:
https://apps.fedoraproject.org/packages/jackson-databind

Comment 4 Jason Shepherd 2020-01-22 04:09:44 UTC

Statement:

While OpenShift Container Platform's elasticsearch plugins do ship the vulnerable component, it doesn't do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.

Comment 8 Jason Shepherd 2020-02-06 03:20:27 UTC

Red Hat Mobile Application Platform is now End of Life:
https://access.redhat.com/support/policy/updates/rhmap

Comment 14 Eric Christensen 2020-03-04 20:46:07 UTC

Mitigation:

The following conditions are needed for an exploit, we recommend avoiding all if possible:
* Deserialization from sources you do not control
* `enableDefaultTyping()`
* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`

Comment 15 errata-xmlrpc 2020-03-23 13:21:02 UTC

This issue has been addressed in the following products:

  Red Hat JBoss AMQ

Via RHSA-2020:0939 https://access.redhat.com/errata/RHSA-2020:0939

Comment 16 Product Security DevOps Team 2020-03-23 16:32:03 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-20330

Comment 17 errata-xmlrpc 2020-03-23 20:13:59 UTC

This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2020:0951 https://access.redhat.com/errata/RHSA-2020:0951

Comment 20 Mauro Matteo Cascella 2020-04-23 09:41:29 UTC

Upstream fix:
https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f25da738ef0d49c2f3387e

Comment 21 errata-xmlrpc 2020-05-18 10:27:29 UTC

This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2020:2067 https://access.redhat.com/errata/RHSA-2020:2067

Comment 22 errata-xmlrpc 2020-05-28 15:59:40 UTC

This issue has been addressed in the following products:

  EAP-CD 19 Tech Preview

Via RHSA-2020:2333 https://access.redhat.com/errata/RHSA-2020:2333

Comment 24 errata-xmlrpc 2020-07-28 15:55:44 UTC

This issue has been addressed in the following products:

  Red Hat Fuse 7.7.0

Via RHSA-2020:3192 https://access.redhat.com/errata/RHSA-2020:3192

Comment 25 errata-xmlrpc 2020-07-29 06:07:28 UTC

This issue has been addressed in the following products:

  Red Hat Decision Manager

Via RHSA-2020:3196 https://access.redhat.com/errata/RHSA-2020:3196

Comment 26 errata-xmlrpc 2020-07-29 06:22:40 UTC

This issue has been addressed in the following products:

  Red Hat Process Automation

Via RHSA-2020:3197 https://access.redhat.com/errata/RHSA-2020:3197

Note You need to log in before you can comment on or make changes to this bug.

aboyko
aileenc
akoufoud
alazarot
almorale
anstephe
aos-bugs
asoldano
atangrin
ataylor
avibelli
bbaranow
bbuckingham
bcourt
bgeorges
bkearney
bmaxwell
bmontgom
brian.stansberry
btotty
cbyrne
cdewolf
chazlett
cmacedo
darran.lofthouse
decathorpe
dffrench
dkreling
dosoudil
drieden
drusso
eparis
etirelli
ganandan
ggaughan
hhorak
hhudgeon
ibek
iweiss
janstey
java-maint
java-sig-commits
jawilson
jbalunas
jburrell
jcantril
jmadigan
jochrist
jokerman
jorton
jpallich
jperkins
jshepherd
jstastny
jwon
krathod
kverlaen
kwills
lef
lgao
lthon
lzap
mmccune
mnovotny
msochure
msvehla
mszynkie
ngough
nstielau
nwallace
paradhya
pdrozd
pgallagh
pjindal
pmackay
psotirop
puntogil
pwright
rchan
rguimara
rhcs-maint
rjerrido
rrajasek
rruss
rsvoboda
rsynek
sdaley
smaestri
sokeeffe
sponnaga
stewardship-sig
sthorger
swoodman
tom.jenkinson
trepel