Bug 1848966 (CVE-2020-14061) - CVE-2020-14061 jackson-databind: serialization in weblogic/oracle-aqjms
Summary: CVE-2020-14061 jackson-databind: serialization in weblogic/oracle-aqjms
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-14061
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1848967 1849551 1849552 1850641 1850642 1866715
Blocks: 1848970
TreeView+ depends on / blocked
 
Reported: 2020-06-19 12:05 UTC by Dhananjay Arunesh
Modified: 2020-10-27 12:57 UTC (History)
111 users (show)

Fixed In Version: jackson-databind 2.9.10.5
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.5. FasterXML jackson-databind 2.x mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2020-07-28 19:28:27 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:3192 None None None 2020-07-28 15:57:25 UTC
Red Hat Product Errata RHSA-2020:3196 None None None 2020-07-29 06:09:17 UTC
Red Hat Product Errata RHSA-2020:3197 None None None 2020-07-29 06:25:36 UTC
Red Hat Product Errata RHSA-2020:4366 None None None 2020-10-27 12:57:08 UTC

Description Dhananjay Arunesh 2020-06-19 12:05:08 UTC
A vulnerability was found in FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory.

References:
https://github.com/FasterXML/jackson-databind/issues/2698
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

Comment 1 Dhananjay Arunesh 2020-06-19 12:06:26 UTC
Created jackson-databind tracking bugs for this issue:

Affects: fedora-all [bug 1848967]

Comment 3 Chess Hazlett 2020-06-19 17:03:17 UTC
Mitigation:

The following conditions are needed for an exploit, we recommend avoiding all if possible:
* Deserialization from sources you do not control
* enableDefaultTyping()
* @JsonTypeInfo using id.CLASS or id.MINIMAL_CLASS
* oracle.jms.AQjms*ConnectionFactory in classpath

Comment 16 Yadnyawalk Tale 2020-06-25 11:19:09 UTC
Statement:

While OpenShift Container Platform's elasticsearch plugins do ship the vulnerable component, it doesn't do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.

Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.

The PKI module as shipped in Red Hat Enterprise Linux 8 and Red Hat Satellite 6 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used, lowering the impact of the vulnerability for the Product. We may update the jackson-databind dependency in a future release.

The version of jackson-databind as shipped in Red Hat Software Collections rh-maven35 is used only while building maven, thus it does not deserialize data coming from untrusted sources, lowering the impact of the vulnerability for the Product.

Comment 17 errata-xmlrpc 2020-07-28 15:57:19 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.7.0

Via RHSA-2020:3192 https://access.redhat.com/errata/RHSA-2020:3192

Comment 18 Product Security DevOps Team 2020-07-28 19:28:27 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-14061

Comment 19 errata-xmlrpc 2020-07-29 06:09:12 UTC
This issue has been addressed in the following products:

  Red Hat Decision Manager

Via RHSA-2020:3196 https://access.redhat.com/errata/RHSA-2020:3196

Comment 20 errata-xmlrpc 2020-07-29 06:25:32 UTC
This issue has been addressed in the following products:

  Red Hat Process Automation

Via RHSA-2020:3197 https://access.redhat.com/errata/RHSA-2020:3197

Comment 21 errata-xmlrpc 2020-10-27 12:57:16 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.7 for RHEL 8

Via RHSA-2020:4366 https://access.redhat.com/errata/RHSA-2020:4366


Note You need to log in before you can comment on or make changes to this bug.