Bug 1887664 (CVE-2020-25649) - CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE) [NEEDINFO]
Summary: CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity ex...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-25649
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1887779 1888130 1888374 1888578 1888643 1888644 1888645 1888646 1888647 1888490 1888491 1889246
Blocks: 1881251
TreeView+ depends on / blocked
 
Reported: 2020-10-13 06:30 UTC by Kunjan Rathod
Modified: 2020-10-30 14:46 UTC (History)
126 users (show)

Fixed In Version: jackson-databind-2.11.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
Clone Of:
Environment:
Last Closed: 2020-10-22 20:21:15 UTC
ggrzybek: needinfo? (dcoleman)
ggrzybek: needinfo? (gmalinko)
ggrzybek: needinfo? (janstey)
ggrzybek: needinfo? (dcoleman)
ggrzybek: needinfo? (pgallagh)


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4312 None None None 2020-10-22 16:46:08 UTC
Red Hat Product Errata RHSA-2020:4401 None None None 2020-10-28 21:10:08 UTC
Red Hat Product Errata RHSA-2020:4402 None None None 2020-10-28 21:07:25 UTC

Description Kunjan Rathod 2020-10-13 06:30:52 UTC
A flaw was found in FasterXML Jackson Databind which did not have entity expansion secured properly making it vulnerable to  XML external entity (XXE). This vulnerability is similar to CVE-2019-10172. The primary threat from this flaw is data integrity.

Comment 1 Kunjan Rathod 2020-10-13 06:31:01 UTC
External References:

https://github.com/FasterXML/jackson-databind/issues/2589

Comment 6 Marian Rehak 2020-10-13 10:44:24 UTC
Created jackson-databind tracking bugs for this issue:

Affects: fedora-all [bug 1887779]

Comment 33 Jonathan Christison 2020-10-19 11:05:16 UTC
Marking Red Hat Jboss Fuse 6 and Red Hat Fuse 7 as having a moderate impact, both versions distribute affected versions of jackson-databind, however its use in both Fuse 6 and Fuse 7 is not susceptible to the vulnerability as there is nothing that deserializes XML from JSON in such a way that the underlying DOMDeserializer is implicitly used.

 This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss Fuse 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 34 Przemyslaw Roguski 2020-10-20 10:10:17 UTC
Statement:

* Red Hat Enterprise Linux 8 ships a vulnerable version of jackson-databind in the pki-deps:10.6 module. pki-deps:10.6 is for pki-core dependencies, but pki-core does not use the vulnerable DOMDeserializer class and thus has been set to low impact. Future updates may include fixed version of jackson-databind.

* Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind code. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.

* Red Hat Virtualization ships a vulnerable version of jackson-databind, however the vulnerable DOMDeserializer class is not used in the code, therefore reducing impact to low.

* Red Hat OpenShift Container Platform (OCP) ships a vulnerable version of jackson-databind, but in the affected containers the DOMDeserializer class is not used. Additionally access to the containers is restricted to authenticated users only (OpenShift OAuth authentication) reducing the severity of this vulnerability to Low.
In OCP 4 there are no plans to maintain ose-logging-elasticsearch5 container, hence marked as wontfix.

Comment 35 Jonathan Christison 2020-10-20 15:44:04 UTC
Marking Red Hat Camel K as having a moderate impact, although Camel K distributes affected versions of jackson-databind its use is not susceptible to the vulnerability as there is nothing that deserializes XML from JSON in such a way that the underlying DOMDeserializer is implicitly used.

Comment 36 Jonathan Christison 2020-10-20 16:49:17 UTC
Marking Red Hat Jboss AMQ 6 as having a moderate impact, although AMQ 6 distribute affected versions of jackson-databind, its use in both AMQ 6 and as earlier noted, Fuse 6, is not susceptible to the vulnerability as there is nothing that deserializes XML from JSON in such a way that the underlying DOMDeserializer is implicitly used.

 This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss AMQ 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 39 errata-xmlrpc 2020-10-22 16:46:02 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:4312 https://access.redhat.com/errata/RHSA-2020:4312

Comment 40 Product Security DevOps Team 2020-10-22 20:21:15 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25649

Comment 41 errata-xmlrpc 2020-10-28 21:07:21 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:4402 https://access.redhat.com/errata/RHSA-2020:4402

Comment 42 errata-xmlrpc 2020-10-28 21:10:03 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6
  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8

Via RHSA-2020:4401 https://access.redhat.com/errata/RHSA-2020:4401


Note You need to log in before you can comment on or make changes to this bug.