FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl). Reference: https://github.com/FasterXML/jackson-databind/issues/2999
Created jackson-databind tracking bugs for this issue: Affects: fedora-all [bug 1911503]
External References: https://github.com/FasterXML/jackson-databind/issues/2999 https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
Mitigation: The following conditions are needed for an exploit, we recommend avoiding all if possible: * Deserialization from sources you do not control * `enableDefaultTyping()` * `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS` * avoid com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool in the classpath
This vulnerability is out of security support scope for the following products: * Red Hat JBoss BRMS 6 * Red Hat JBoss BPMS 6 * Red Hat JBoss Data Virtualization 6 * Red Hat JBoss Fuse Service Works 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Statement: The following Red Hat Products ship jackson-databind version 2.10.0 or later which is not considered affected by this CVE (see https://medium.com/@cowtowncoder/jackson-2-10-safe-default-typing-2d018f0ce2ba) * JBoss Data Grid 7 * JBoss Data Grid 8 * Enterprise Application Platform 7 * Red Hat Decision Manager 7 * Red Hat Process Automation Manager 7 * Red Hat Single Sign-On (RH-SSO) 7 * Red Hat JBoss Fuse 7 * Red Hat JBoss A-MQ * Red Hat Enterprise Linux 8 * Red Hat Satellite 6.6 * Red Hat Satellite 6.7 * Red Hat Satellite 6.8 * Red Hat CodeReady Studio 12 Red Hat OpenShift Container Platform and Red Hat OpenStack Platform does ship the vulnerable components, but does not enable the unsafe conditions needed to exploit, lowering their vulnerability impact. In Red Hat Openshift 4 there are no plans to maintain the ose-logging-elasticsearch5 container, hence it has been marked wontfix at this time and may be fixed in a future update. Red Hat OpenStack Platform 13 ships OpenDaylight, which contains the vulnerable jackson-databind, but does not expose jackson-databind in a way that would make it exploitable. As such, Red Hat will not be providing a fix for OpenDaylight at this time.
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2021:1230 https://access.redhat.com/errata/RHSA-2021:1230
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-35728