FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource. Reference: https://github.com/FasterXML/jackson-databind/issues/2998
Mitigation: The following conditions are needed for an exploit, we recommend avoiding all if possible: * Deserialization from sources you do not control * `enableDefaultTyping()` * `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS` * avoid: oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS, org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS, org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS, org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS, org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool, org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource, org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource, org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource, org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource, com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource, com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource in the classpath
External References: https://github.com/FasterXML/jackson-databind/issues/2998
Statement: The following Red Hat products do ship the vulnerable component, but do not enable the unsafe conditions needed to exploit, lowering their vulnerability impact: * JBoss Data Grid 7 * Business Process Management Suite 6 * Business Rules Management Suite 6 * JBoss Data Virtualization 6 * Red Hat Fuse Service Works 6 * Red Hat OpenStack Platform * Red Hat OpenShift containers: ose-metering-hadoop, ose-metering-hive, ose-logging-elasticsearch5, ose-logging-elasticsearch6 These products may update the jackson-databind dependency in a future release. In Red Hat Openshift 4 there are no plans to maintain the ose-logging-elasticsearch5 container, therefore it has been marked wontfix at this time and may be fixed in a future update. The following Red Hat products ship OpenDaylight, which contains the vulnerable jackson-databind, but do not expose jackson-databind in a way that would make it exploitable: * Red Hat OpenStack Platform 13 As such, Red Hat will not be providing a fix for OpenDaylight at this time. The following Red Hat products are not affected by this flaw because they use a more recent version of jackson-databind that does not contain the vulnerable code: * CodeReady Studio 12.16.0 * Red Hat Enterprise Linux 8 * Red Hat Enterprise Virtualization * Red Hat Satellite 6 * Red Hat OpenShift container: ose-metering-presto
Created jackson-databind tracking bugs for this issue: Affects: fedora-all [bug 1922499]
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2021:1230 https://access.redhat.com/errata/RHSA-2021:1230
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-36184