A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath. Upstream issue: https://github.com/FasterXML/jackson-databind/issues/2389 Upstream patch: https://github.com/FasterXML/jackson-databind/commit/ad418eeb974e357f2797aef64aa0e3ffaaa6125b References: https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef@%3Cdev.struts.apache.org%3E
Created jackson-databind tracking bugs for this issue: Affects: fedora-all [bug 1752964]
Statement: OpenDaylight provided as part of Red Hat OpenStack does not utilize logback when used in a supported configuration. Therefore, the prerequisites for this vulnerability are not present and OpenDaylight is not affected. Satellite 6 does not enable polymorphic unmarshmalling, which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.
This issue has been addressed in the following products: Red Hat JBoss AMQ Via RHSA-2019:3200 https://access.redhat.com/errata/RHSA-2019:3200
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-14439
Marking RHSSO as not affected because RHSSO 7.3.4 ships : rhsso-7.3/modules/system/layers/base/.overlays/layer-base-rh-sso-7.3.4.CP/com/fasterxml/jackson/core/jackson-databind/main/jackson-databind-2.9.9.3-redhat-00001.jar Affected version are FasterXML jackson-databind 2.x before 2.9.9.2
This vulnerability is out of security support scope for the following products: * Red Hat JBoss BPMS 6 * Red Hat JBoss Data Virtualization & Services 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Mitigation: The following conditions are needed for an exploit, we recommend avoiding all if possible * Deserialization from sources you do not control * `enableDefaultTyping()` * `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`
This issue has been addressed in the following products: Red Hat Fuse 7.6.0 Via RHSA-2020:0983 https://access.redhat.com/errata/RHSA-2020:0983