FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking. References: https://github.com/FasterXML/jackson-databind/issues/2526
fedora seems to be not affected by this, as we have jackson-databind 2.10.1 in fedora 30, 31, and rawhide: https://apps.fedoraproject.org/packages/jackson-databind
Statement: While OpenShift Container Platform's elasticsearch plugins do ship the vulnerable component, it doesn't do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.
Red Hat Mobile Application Platform is now End of Life: https://access.redhat.com/support/policy/updates/rhmap
Mitigation: The following conditions are needed for an exploit, we recommend avoiding all if possible: * Deserialization from sources you do not control * `enableDefaultTyping()` * `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`
This issue has been addressed in the following products: Red Hat JBoss AMQ Via RHSA-2020:0939 https://access.redhat.com/errata/RHSA-2020:0939
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-20330
This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2020:0951 https://access.redhat.com/errata/RHSA-2020:0951
Upstream fix: https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f25da738ef0d49c2f3387e
This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2020:2067 https://access.redhat.com/errata/RHSA-2020:2067
This issue has been addressed in the following products: EAP-CD 19 Tech Preview Via RHSA-2020:2333 https://access.redhat.com/errata/RHSA-2020:2333
This issue has been addressed in the following products: Red Hat Fuse 7.7.0 Via RHSA-2020:3192 https://access.redhat.com/errata/RHSA-2020:3192
This issue has been addressed in the following products: Red Hat Decision Manager Via RHSA-2020:3196 https://access.redhat.com/errata/RHSA-2020:3196
This issue has been addressed in the following products: Red Hat Process Automation Via RHSA-2020:3197 https://access.redhat.com/errata/RHSA-2020:3197