https://bugzilla.redhat.com/show_bug.cgi?id=1725807
Bug ID: 1725807 Summary: CVE-2019-12384 jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution Product: Security Response Hardware: All OS: Linux Status: NEW Whiteboard: impact=moderate,public=20190621,reported=20190625,sour ce=cve,cvss3=8.1/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/ I:H/A:H,cwe=CWE-502,fedora-all/jackson-databind=affect ed,amq-6/jackson-databind=new,amq-st/jackson-databind= new,bpms-6/jackson-databind=new,openstack-8/opendaylig ht=new,openstack-9/opendaylight=new,openstack-10/opend aylight=new,openstack-13/opendaylight=new,openstack-14 /opendaylight=new,rhsso-7/jackson-databind=new,vertx-3 /jackson-databind=new,swarm-7/jackson-databind=new,rhe l-8/pki-deps:10.6/jackson-databind=new,rhn_satellite_6 /jackson-databind=new,rhscl-3/rh-maven35-jackson-datab ind=new,rhdm-7/jackson-databind=new,rhpam-7/jackson-da tabind=new,fuse-6/jackson-databind=new,fuse-7/jackson- databind=new,eap-7/jackson-databind=new,rhmap-4/jackso n-databind=new,openshift-enterprise-3/ose-logging-elas ticsearch5=new Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: msiddiqu@redhat.com CC: ahardin@redhat.com, aileenc@redhat.com, akoufoud@redhat.com, alazarot@redhat.com, almorale@redhat.com, anstephe@redhat.com, asoldano@redhat.com, ataylor@redhat.com, avibelli@redhat.com, bbaranow@redhat.com, bbuckingham@redhat.com, bcourt@redhat.com, bgeorges@redhat.com, bkearney@redhat.com, bleanhar@redhat.com, bmaxwell@redhat.com, brian.stansberry@redhat.com, btotty@redhat.com, cbyrne@redhat.com, ccoleman@redhat.com, cdewolf@redhat.com, chazlett@redhat.com, cmacedo@redhat.com, darran.lofthouse@redhat.com, dbecker@redhat.com, dedgar@redhat.com, dffrench@redhat.com, dosoudil@redhat.com, drieden@redhat.com, drusso@redhat.com, eparis@redhat.com, etirelli@redhat.com, ggaughan@redhat.com, hhorak@redhat.com, hhudgeon@redhat.com, ibek@redhat.com, iweiss@redhat.com, janstey@redhat.com, java-sig-commits@lists.fedoraproject.org, jawilson@redhat.com, jbalunas@redhat.com, jgoulding@redhat.com, jjoyce@redhat.com, jkurik@redhat.com, jmadigan@redhat.com, jochrist@redhat.com, jokerman@redhat.com, jorton@redhat.com, jpallich@redhat.com, jperkins@redhat.com, jschluet@redhat.com, jshepherd@redhat.com, kbasil@redhat.com, krathod@redhat.com, kverlaen@redhat.com, kwills@redhat.com, lef@fedoraproject.org, lgao@redhat.com, lhh@redhat.com, lpeer@redhat.com, lpetrovi@redhat.com, lthon@redhat.com, lzap@redhat.com, mat.booth@redhat.com, mburns@redhat.com, mchappel@redhat.com, mhulan@redhat.com, mkolesni@redhat.com, mmccune@redhat.com, mnovotny@redhat.com, msochure@redhat.com, msvehla@redhat.com, mszynkie@redhat.com, ngough@redhat.com, nwallace@redhat.com, paradhya@redhat.com, pdrozd@redhat.com, pgallagh@redhat.com, pmackay@redhat.com, psotirop@redhat.com, puntogil@libero.it, pwright@redhat.com, rchan@redhat.com, rguimara@redhat.com, rhcs-maint@redhat.com, rjerrido@redhat.com, rrajasek@redhat.com, rruss@redhat.com, rsvoboda@redhat.com, rsynek@redhat.com, sclewis@redhat.com, scohen@redhat.com, sdaley@redhat.com, slinaber@redhat.com, smaestri@redhat.com, sthorger@redhat.com, tbrisker@redhat.com, tom.jenkinson@redhat.com, trepel@redhat.com, trogers@redhat.com, twalsh@redhat.com Target Milestone: --- Classification: Other
FasterXML jackson-databind 2.x before 2.9.9 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.
Upstream issue:
https://github.com/FasterXML/jackson-databind/issues/2334
Upstream patch:
https://github.com/FasterXML/jackson-databind/commit/c9ef4a10d6f6633cf470d6a...
References:
https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html