Bug 1737517 (CVE-2019-14379) - CVE-2019-14379 jackson-databind: default typing mishandling leading to remote code execution
Summary: CVE-2019-14379 jackson-databind: default typing mishandling leading to remote...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-14379
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1737518 1738404 1738406 1738407 1738408 1738409 1738410 1738411 1739083 1739084 1740588 1740589 1740590 1740591 1940563
Blocks: 1737522
TreeView+ depends on / blocked
 
Reported: 2019-08-05 14:59 UTC by msiddiqu
Modified: 2023-09-07 20:21 UTC (History)
118 users (show)

Fixed In Version: jackson-databind 2.9.9.2, jackson-databind 2.10.0, jackson-databind 2.7.9.6, jackson-databind 2.8.11.4
Doc Type: If docs needed, set a value
Doc Text:
A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the ehcache and logback JNDI gadgets when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
Clone Of:
Environment:
Last Closed: 2019-09-13 12:45:32 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2743 0 None None None 2019-09-12 11:52:00 UTC
Red Hat Product Errata RHSA-2019:2858 0 None None None 2019-09-27 00:14:35 UTC
Red Hat Product Errata RHSA-2019:2935 0 None None None 2019-09-30 22:54:05 UTC
Red Hat Product Errata RHSA-2019:2936 0 None None None 2019-09-30 22:56:10 UTC
Red Hat Product Errata RHSA-2019:2937 0 None None None 2019-09-30 22:51:48 UTC
Red Hat Product Errata RHSA-2019:2938 0 None None None 2019-09-30 22:58:23 UTC
Red Hat Product Errata RHSA-2019:2998 0 None None None 2019-10-10 09:54:56 UTC
Red Hat Product Errata RHSA-2019:3044 0 None None None 2019-10-14 18:28:52 UTC
Red Hat Product Errata RHSA-2019:3045 0 None None None 2019-10-14 18:29:08 UTC
Red Hat Product Errata RHSA-2019:3046 0 None None None 2019-10-14 18:29:28 UTC
Red Hat Product Errata RHSA-2019:3050 0 None None None 2019-10-14 18:59:38 UTC
Red Hat Product Errata RHSA-2019:3149 0 None None None 2019-10-18 19:53:20 UTC
Red Hat Product Errata RHSA-2019:3292 0 None None None 2019-10-31 17:27:12 UTC
Red Hat Product Errata RHSA-2019:3297 0 None None None 2019-10-31 19:10:20 UTC
Red Hat Product Errata RHSA-2019:3901 0 None None None 2019-11-18 14:41:07 UTC
Red Hat Product Errata RHSA-2020:0727 0 None None None 2020-03-05 12:54:31 UTC
Red Hat Product Errata RHSA-2020:0983 0 None None None 2020-03-26 15:48:32 UTC

Description msiddiqu 2019-08-05 14:59:56 UTC 
SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used, leading to remote code execution. 


References:   

https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2

Upstream issue:  

https://github.com/FasterXML/jackson-databind/issues/2387
Comment 1 msiddiqu 2019-08-05 15:00:22 UTC 
Created jackson-databind tracking bugs for this issue:

Affects: fedora-all [bug 1737518]
Comment 10 Joshua Padman 2019-08-12 02:30:18 UTC 
This vulnerability is out of security support scope for the following product:
 * Red Hat Mobile Application Platform

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 18 Joshua Padman 2019-08-27 04:11:20 UTC 
Statement:

While OpenShift Container Platform's elasticsearch plugins do ship the vulnerable component, it doesn't do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.

Similarly, Satellite 6 does not enable polymorphic unmarshmalling, which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.

Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.
Comment 23 errata-xmlrpc 2019-09-12 11:51:56 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2019:2743 https://access.redhat.com/errata/RHSA-2019:2743
Comment 24 Product Security DevOps Team 2019-09-13 12:45:32 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14379
Comment 30 errata-xmlrpc 2019-09-27 00:14:32 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.1

Via RHSA-2019:2858 https://access.redhat.com/errata/RHSA-2019:2858
Comment 31 errata-xmlrpc 2019-09-30 22:51:45 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8

Via RHSA-2019:2937 https://access.redhat.com/errata/RHSA-2019:2937
Comment 32 errata-xmlrpc 2019-09-30 22:54:02 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6

Via RHSA-2019:2935 https://access.redhat.com/errata/RHSA-2019:2935
Comment 33 errata-xmlrpc 2019-09-30 22:56:06 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7

Via RHSA-2019:2936 https://access.redhat.com/errata/RHSA-2019:2936
Comment 34 errata-xmlrpc 2019-09-30 22:58:20 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2019:2938 https://access.redhat.com/errata/RHSA-2019:2938
Comment 38 errata-xmlrpc 2019-10-10 09:54:52 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2019:2998 https://access.redhat.com/errata/RHSA-2019:2998
Comment 40 errata-xmlrpc 2019-10-14 18:28:48 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.3 for RHEL 6

Via RHSA-2019:3044 https://access.redhat.com/errata/RHSA-2019:3044
Comment 41 errata-xmlrpc 2019-10-14 18:29:04 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.3 for RHEL 7

Via RHSA-2019:3045 https://access.redhat.com/errata/RHSA-2019:3045
Comment 42 errata-xmlrpc 2019-10-14 18:29:24 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.3 for RHEL 8

Via RHSA-2019:3046 https://access.redhat.com/errata/RHSA-2019:3046
Comment 43 errata-xmlrpc 2019-10-14 18:59:34 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.3.4 zip

Via RHSA-2019:3050 https://access.redhat.com/errata/RHSA-2019:3050
Comment 44 errata-xmlrpc 2019-10-18 19:53:15 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2019:3149 https://access.redhat.com/errata/RHSA-2019:3149
Comment 47 errata-xmlrpc 2019-10-31 17:27:09 UTC 
This issue has been addressed in the following products:

  Red Hat Decision Manager

Via RHSA-2019:3292 https://access.redhat.com/errata/RHSA-2019:3292
Comment 48 errata-xmlrpc 2019-10-31 19:10:16 UTC 
This issue has been addressed in the following products:

  Red Hat Process Automation

Via RHSA-2019:3297 https://access.redhat.com/errata/RHSA-2019:3297
Comment 49 errata-xmlrpc 2019-11-18 14:41:03 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes Vert.x 3.8.3

Via RHSA-2019:3901 https://access.redhat.com/errata/RHSA-2019:3901
Comment 53 Jonathan Christison 2020-02-28 14:44:48 UTC 
Mitigation:

The following conditions are needed for an exploit, we recommend avoiding all if possible
* Deserialization from sources you do not control
* `enableDefaultTyping()`
* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`
Comment 54 errata-xmlrpc 2020-03-05 12:54:27 UTC 
This issue has been addressed in the following products:

  Red Hat Data Grid 7.3.3

Via RHSA-2020:0727 https://access.redhat.com/errata/RHSA-2020:0727
Comment 55 errata-xmlrpc 2020-03-26 15:48:26 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.6.0

Via RHSA-2020:0983 https://access.redhat.com/errata/RHSA-2020:0983
Comment 57 errata-xmlrpc 2021-04-27 08:56:12 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:1230 https://access.redhat.com/errata/RHSA-2021:1230
Note You need to log in before you can comment on or make changes to this bug.