FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).
Created jackson-databind tracking bugs for this issue: Affects: fedora-all [bug 1826799]
Upstream Issue: https://github.com/FasterXML/jackson-databind/issues/2682
Upstream fix: https://github.com/FasterXML/jackson-databind/commit/77040d85e3eb6710508e6445640ae1a3d5e60c22
Mitigation: The following conditions are needed for an exploit, we recommend avoiding all if possible: * Deserialization from sources you do not control * `enableDefaultTyping()` * `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`
OpenShift packages a vulnerable version of jackson-databind (2.7.7) in the component openshift/origin-aggregated-logging. However as per the statement, lowering the impact to Moderate.
Statement: Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time. The PKI module as shipped in Red Hat Enterprise Linux 8 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used, lowering the impact of the vulnerability for the Product. We may update the jackson-databind dependency in a future release. While OpenShift Container Platform's elasticsearch plugins do ship the vulnerable component, it doesn't do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release. Red Hat Satellite 6 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.
This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2020:2067 https://access.redhat.com/errata/RHSA-2020:2067
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-11620
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:2320 https://access.redhat.com/errata/RHSA-2020:2320
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:2565 https://access.redhat.com/errata/RHSA-2020:2565
This issue has been addressed in the following products: Red Hat Fuse 7.7.0 Via RHSA-2020:3192 https://access.redhat.com/errata/RHSA-2020:3192
This issue has been addressed in the following products: Red Hat Decision Manager Via RHSA-2020:3196 https://access.redhat.com/errata/RHSA-2020:3196
This issue has been addressed in the following products: Red Hat Process Automation Via RHSA-2020:3197 https://access.redhat.com/errata/RHSA-2020:3197
This issue has been addressed in the following products: Red Hat Data Grid 7.3.7 Via RHSA-2020:3779 https://access.redhat.com/errata/RHSA-2020:3779
This issue has been addressed in the following products: Red Hat Single Sign-On 7.4.0 Via RHSA-2020:5625 https://access.redhat.com/errata/RHSA-2020:5625