FasterXML jackson-databind 2.x before 2.9.9 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible. Upstream issue: https://github.com/FasterXML/jackson-databind/issues/2334 Upstream patch: https://github.com/FasterXML/jackson-databind/commit/c9ef4a10d6f6633cf470d6a469514b68fa2be234 References: https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html
Created jackson-databind tracking bugs for this issue: Affects: fedora-all [bug 1725808]
OpenDaylight in Red Hat OpenStack 9 & 10 was released as Technical Preview and is not receiving fixes.
OpenDaylight is not configured to use logback and does not contain the vulnerable classes in the classpath
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2019:1820 https://access.redhat.com/errata/RHSA-2019:1820
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-12384
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:2720 https://access.redhat.com/errata/RHSA-2019:2720
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.1 Via RHSA-2019:2858 https://access.redhat.com/errata/RHSA-2019:2858
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8 Via RHSA-2019:2937 https://access.redhat.com/errata/RHSA-2019:2937
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6 Via RHSA-2019:2935 https://access.redhat.com/errata/RHSA-2019:2935
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7 Via RHSA-2019:2936 https://access.redhat.com/errata/RHSA-2019:2936
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2019:2938 https://access.redhat.com/errata/RHSA-2019:2938
This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2019:2998 https://access.redhat.com/errata/RHSA-2019:2998
This vulnerability is out of security support scope for the following products: * Red Hat JBoss BPM Suite 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2019:3149 https://access.redhat.com/errata/RHSA-2019:3149
This issue has been addressed in the following products: Red Hat Decision Manager Via RHSA-2019:3292 https://access.redhat.com/errata/RHSA-2019:3292
This issue has been addressed in the following products: Red Hat Process Automation Via RHSA-2019:3297 https://access.redhat.com/errata/RHSA-2019:3297
This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Vert.x 3.8.3 Via RHSA-2019:3901 https://access.redhat.com/errata/RHSA-2019:3901
This issue has been addressed in the following products: Red Hat Fuse 6.3 Via RHSA-2019:4352 https://access.redhat.com/errata/RHSA-2019:4352
Statement: Red Hat OpenStack's OpenDaylight does not use logback in any supported configuration. Therefore, the prerequisites for this vulnerability are not present and OpenDaylight is not affected. This vulnerability relies on logback-core (ch.qos.logback.core) being present in the application's ClassPath. Logback-core is not packaged as an RPM for Red Hat Enterprise Linux or Red Hat Software Collections. Applications using jackson-databind that do not also use logback-core are not impacted by this vulnerability. This issue affects the versions of jackson-databind bundled with candlepin as shipped with Red Hat Satellite 6.x. However the affected code is NOT used at this time.
Mitigation: The following conditions are needed for an exploit, we recommend avoiding all if possible: * Deserialization from sources you do not control * `enableDefaultTyping()` * `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`
This issue has been addressed in the following products: Red Hat Fuse 7.6.0 Via RHSA-2020:0983 https://access.redhat.com/errata/RHSA-2020:0983