Bug 1887664 (CVE-2020-25649) - CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE)
Summary: CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity ex...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-25649
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1887779 1888130 1888374 1888490 1888491 1888578 1888643 1888644 1888645 1888646 1888647 1889246 1910494
Blocks: 1881251 2014197
TreeView+ depends on / blocked
 
Reported: 2020-10-13 06:30 UTC by Kunjan Rathod
Modified: 2021-12-14 18:47 UTC (History)
127 users (show)

Fixed In Version: jackson-databind-2.11.0, jackson-databind-2.10.5.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
Clone Of:
Environment:
Last Closed: 2020-10-22 20:21:15 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4312 0 None None None 2020-10-22 16:46:08 UTC
Red Hat Product Errata RHSA-2020:4379 0 None None None 2020-11-09 18:26:41 UTC
Red Hat Product Errata RHSA-2020:4401 0 None None None 2020-10-28 21:10:08 UTC
Red Hat Product Errata RHSA-2020:4402 0 None None None 2020-10-28 21:07:25 UTC
Red Hat Product Errata RHSA-2020:5340 0 None None None 2020-12-03 19:14:35 UTC
Red Hat Product Errata RHSA-2020:5341 0 None None None 2020-12-03 19:17:23 UTC
Red Hat Product Errata RHSA-2020:5342 0 None None None 2020-12-03 19:20:19 UTC
Red Hat Product Errata RHSA-2020:5344 0 None None None 2020-12-03 19:13:32 UTC
Red Hat Product Errata RHSA-2020:5361 0 None None None 2020-12-16 07:20:52 UTC
Red Hat Product Errata RHSA-2020:5410 0 None None None 2020-12-14 17:52:30 UTC
Red Hat Product Errata RHSA-2020:5533 0 None None None 2020-12-15 17:14:38 UTC
Red Hat Product Errata RHSA-2021:0381 0 None None None 2021-02-02 13:57:16 UTC
Red Hat Product Errata RHSA-2021:0811 0 None None None 2021-03-11 17:50:02 UTC
Red Hat Product Errata RHSA-2021:2475 0 None None None 2021-06-17 13:15:13 UTC
Red Hat Product Errata RHSA-2021:2476 0 None None None 2021-06-17 13:19:17 UTC

Description Kunjan Rathod 2020-10-13 06:30:52 UTC
A flaw was found in FasterXML Jackson Databind which did not have entity expansion secured properly making it vulnerable to  XML external entity (XXE). This vulnerability is similar to CVE-2019-10172. The primary threat from this flaw is data integrity.

Comment 1 Kunjan Rathod 2020-10-13 06:31:01 UTC
External References:

https://github.com/FasterXML/jackson-databind/issues/2589

Comment 6 Marian Rehak 2020-10-13 10:44:24 UTC
Created jackson-databind tracking bugs for this issue:

Affects: fedora-all [bug 1887779]

Comment 33 Jonathan Christison 2020-10-19 11:05:16 UTC
Marking Red Hat Jboss Fuse 6 and Red Hat Fuse 7 as having a moderate impact, both versions distribute affected versions of jackson-databind, however its use in both Fuse 6 and Fuse 7 is not susceptible to the vulnerability as there is nothing that deserializes XML from JSON in such a way that the underlying DOMDeserializer is implicitly used.

 This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss Fuse 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 35 Jonathan Christison 2020-10-20 15:44:04 UTC
Marking Red Hat Camel K as having a moderate impact, although Camel K distributes affected versions of jackson-databind its use is not susceptible to the vulnerability as there is nothing that deserializes XML from JSON in such a way that the underlying DOMDeserializer is implicitly used.

Comment 36 Jonathan Christison 2020-10-20 16:49:17 UTC
Marking Red Hat Jboss AMQ 6 as having a moderate impact, although AMQ 6 distribute affected versions of jackson-databind, its use in both AMQ 6 and as earlier noted, Fuse 6, is not susceptible to the vulnerability as there is nothing that deserializes XML from JSON in such a way that the underlying DOMDeserializer is implicitly used.

 This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss AMQ 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 39 errata-xmlrpc 2020-10-22 16:46:02 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:4312 https://access.redhat.com/errata/RHSA-2020:4312

Comment 40 Product Security DevOps Team 2020-10-22 20:21:15 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25649

Comment 41 errata-xmlrpc 2020-10-28 21:07:21 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:4402 https://access.redhat.com/errata/RHSA-2020:4402

Comment 42 errata-xmlrpc 2020-10-28 21:10:03 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6
  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8

Via RHSA-2020:4401 https://access.redhat.com/errata/RHSA-2020:4401

Comment 48 Chess Hazlett 2020-11-09 15:45:26 UTC
Mitigation:

There is currently no known mitigation for this flaw.

Comment 49 errata-xmlrpc 2020-11-09 18:26:36 UTC
This issue has been addressed in the following products:

  Vert.x 3.9.4

Via RHSA-2020:4379 https://access.redhat.com/errata/RHSA-2020:4379

Comment 51 Jonathan Christison 2020-11-16 13:25:42 UTC
Marking Red Hat Integration Service Registry as having a low impact, although service registry uses affected versions of jackson-databind its use is not susceptible to the vulnerability as there is nothing that deserializes XML from JSON in such a way that the underlying DOMDeserializer is implicitly used.

Comment 52 errata-xmlrpc 2020-12-03 19:13:25 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:5344 https://access.redhat.com/errata/RHSA-2020:5344

Comment 53 errata-xmlrpc 2020-12-03 19:14:29 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6

Via RHSA-2020:5340 https://access.redhat.com/errata/RHSA-2020:5340

Comment 54 errata-xmlrpc 2020-12-03 19:17:17 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7

Via RHSA-2020:5341 https://access.redhat.com/errata/RHSA-2020:5341

Comment 55 errata-xmlrpc 2020-12-03 19:20:14 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8

Via RHSA-2020:5342 https://access.redhat.com/errata/RHSA-2020:5342

Comment 56 errata-xmlrpc 2020-12-14 17:52:26 UTC
This issue has been addressed in the following products:

  Red Hat Data Grid 7.3.8

Via RHSA-2020:5410 https://access.redhat.com/errata/RHSA-2020:5410

Comment 57 errata-xmlrpc 2020-12-15 17:14:34 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2020:5533 https://access.redhat.com/errata/RHSA-2020:5533

Comment 58 errata-xmlrpc 2020-12-16 07:20:46 UTC
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2020:5361 https://access.redhat.com/errata/RHSA-2020:5361

Comment 60 errata-xmlrpc 2021-02-02 13:57:12 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.4

Via RHSA-2021:0381 https://access.redhat.com/errata/RHSA-2021:0381

Comment 61 Paramvir jindal 2021-02-10 05:48:22 UTC
Statement:

* Red Hat Enterprise Linux 8 ships a vulnerable version of jackson-databind in the pki-deps:10.6 module. pki-deps:10.6 is for pki-core dependencies, but pki-core does not use the vulnerable DOMDeserializer class and thus has been set to low impact. Future updates may include fixed version of jackson-databind.

* Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind code. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.

* Red Hat Virtualization ships a vulnerable version of jackson-databind, however the vulnerable DOMDeserializer class is not used in the code, therefore reducing impact to low.

* Red Hat OpenShift Container Platform (OCP) ships a vulnerable version of jackson-databind, but in the affected containers the DOMDeserializer class is not used. Additionally access to the containers is restricted to authenticated users only (OpenShift OAuth authentication) reducing the severity of this vulnerability to Low.
In OCP 4 there are no plans to maintain ose-logging-elasticsearch5 container, hence marked as wontfix.

* Red Hat Satellite ships affected version of jackson-databind through Candlepin, however, product code does not use DOMDeserializer class and jackson-databind in a vulnerable way. Thus impact has been set to low. A future release may update jackson-databind to a fixed version.

* Red Hat Single Sign-On (RH-SSO) ships affected version of jackson-databind, however, none of the product code is using the affected class (DOMDeserializer). Thus impact has been set to low. RH-SSO will consume the fixed artifact from EAP in the next CP.

Comment 62 Jonathan Christison 2021-02-23 19:14:51 UTC
Further to comment#33 and marking Red Hat Fuse 7 and Red Hat Integration Camel K as having a moderate impact we believe a low impact is more appropriate and better represents Red Hat's specification of a low impact flaw - https://access.redhat.com/security/updates/classification  

Which describes low impact vulnerabilities as "These are the types of vulnerabilities that are believed to require unlikely circumstances to be able to be exploited".

In the case of jackson-databind `DomDeserializer` actually being called it we believe those unlikely circumstances to be 

*) Camel components making use of jackson-databind do not expose this functionality

*) There are specialised components in camel to parse and deserialize DOM such as camel-jacksonxml which relies on jackson-dataformat-xml, jackson-dataformat-xml is not vulnerable to this XXE flaw

*) We believe the usage pattern is itself unlikely and can find no further evidence of implicit use

```java
ObjectMapper mapper = new ObjectMapper();
Document doc = mapper.readValue("\"<badxml/>\"", Document.class);
```

Comment 63 errata-xmlrpc 2021-03-11 17:49:58 UTC
This issue has been addressed in the following products:

  Red Hat Integration - Camel K - Tech-Preview 3

Via RHSA-2021:0811 https://access.redhat.com/errata/RHSA-2021:0811

Comment 64 errata-xmlrpc 2021-04-19 18:04:04 UTC
This issue has been addressed in the following products:

  Red Hat AMQ Streams 1.7.0

Via RHSA-2021:1260 https://access.redhat.com/errata/RHSA-2021:1260

Comment 65 errata-xmlrpc 2021-05-05 08:06:50 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:1429 https://access.redhat.com/errata/RHSA-2021:1429

Comment 66 errata-xmlrpc 2021-05-19 08:01:19 UTC
This issue has been addressed in the following products:

  Red Hat Integration

Via RHSA-2021:2039 https://access.redhat.com/errata/RHSA-2021:2039

Comment 67 errata-xmlrpc 2021-06-17 13:14:55 UTC
This issue has been addressed in the following products:

  RHPAM 7.11.0

Via RHSA-2021:2475 https://access.redhat.com/errata/RHSA-2021:2475

Comment 68 errata-xmlrpc 2021-06-17 13:19:00 UTC
This issue has been addressed in the following products:

  RHDM 7.11.0

Via RHSA-2021:2476 https://access.redhat.com/errata/RHSA-2021:2476


Note You need to log in before you can comment on or make changes to this bug.