Bug 1775293 (CVE-2019-17531) - CVE-2019-17531 jackson-databind: polymorphic typing issue when enabling default typing for an externally exposed JSON endpoint and having apache-log4j-extra in the classpath leads to code execution
Summary: CVE-2019-17531 jackson-databind: polymorphic typing issue when enabling defau...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-17531
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact: Martin Kyral
URL:
Whiteboard:
Depends On: 1777745 1775300 1776544 1776545 1776546 1776548 1777744 1777746 1777747
Blocks: 1775297
TreeView+ depends on / blocked
 
Reported: 2019-11-21 16:58 UTC by Dhananjay Arunesh
Modified: 2020-02-28 19:57 UTC (History)
96 users (show)

Fixed In Version: jackson-databind 2.9.10.1, jackson-databind 2.6.7.3
Doc Type: If docs needed, set a value
Doc Text:
A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the log4j-extra gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
Clone Of:
Environment:
Last Closed: 2019-12-10 19:24:07 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:4192 None None None 2019-12-10 16:12:53 UTC
Red Hat Product Errata RHSA-2020:0159 None None None 2020-01-21 02:56:46 UTC
Red Hat Product Errata RHSA-2020:0160 None None None 2020-01-21 03:46:55 UTC
Red Hat Product Errata RHSA-2020:0161 None None None 2020-01-21 03:22:07 UTC
Red Hat Product Errata RHSA-2020:0164 None None None 2020-01-21 02:24:13 UTC
Red Hat Product Errata RHSA-2020:0445 None None None 2020-02-06 08:36:28 UTC

Description Dhananjay Arunesh 2019-11-21 16:58:45 UTC
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.

Reference:
https://github.com/FasterXML/jackson-databind/issues/2498

Comment 1 Dhananjay Arunesh 2019-11-21 17:08:57 UTC
Created jackson-databind tracking bugs for this issue:

Affects: fedora-all [bug 1775300]

Comment 3 Paramvir jindal 2019-11-22 06:53:48 UTC
Marked RHSSO as affected fix because the fix version seems to be jackson-databind 2.9.10 and RHSSO 7.3.4 (latest as of today) ships jackson-databind-2.9.9.3-redhat-00001.jar.

rhsso-7.3/modules/system/layers/base/.overlays/layer-base-rh-sso-7.3.4.CP/com/fasterxml/jackson/core/jackson-databind/main/jackson-databind-2.9.9.3-redhat-00001.jar

Comment 18 Cedric Buissart 🐶 2019-12-05 13:24:25 UTC
Statement:

Satellite 6 does not enable polymorphic unmarshmalling, which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.

Comment 21 errata-xmlrpc 2019-12-10 16:12:44 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2019:4192 https://access.redhat.com/errata/RHSA-2019:4192

Comment 22 Product Security DevOps Team 2019-12-10 19:24:07 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-17531

Comment 26 errata-xmlrpc 2020-01-21 02:24:10 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:0164 https://access.redhat.com/errata/RHSA-2020:0164

Comment 27 errata-xmlrpc 2020-01-21 02:56:43 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6

Via RHSA-2020:0159 https://access.redhat.com/errata/RHSA-2020:0159

Comment 28 errata-xmlrpc 2020-01-21 03:22:04 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8

Via RHSA-2020:0161 https://access.redhat.com/errata/RHSA-2020:0161

Comment 29 errata-xmlrpc 2020-01-21 03:46:52 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7

Via RHSA-2020:0160 https://access.redhat.com/errata/RHSA-2020:0160

Comment 30 errata-xmlrpc 2020-02-06 08:36:20 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2020:0445 https://access.redhat.com/errata/RHSA-2020:0445

Comment 31 Jonathan Christison 2020-02-28 15:06:17 UTC
Mitigation:

The following conditions are needed for an exploit, we recommend avoiding all if possible
* Deserialization from sources you do not control
* `enableDefaultTyping()`
* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`


Note You need to log in before you can comment on or make changes to this bug.