https://bugzilla.redhat.com/show_bug.cgi?id=1725807
--- Comment #21 from Doran Moppert dmoppert@redhat.com --- Mitigation:
This vulnerability relies on logback-core (ch.qos.logback.core) being present in the application's ClassPath. logback-core is not packaged as an RPM for Red Hat Enterprise Linux or Red Hat Software Collections. Applications using jackson-databind that do not also use logback-core are not impacted by this vulnerability.
This issue affects the versions of jackson-databind bundled with candlepin as shipped with Red Hat Satellite 6.x. However the affected code is NOT used at this time: * Candlepin currently uses the default type resolution configuration for the ObjectMappers it creates/uses. Nowhere in candlepin do we enable global polymorphic deserialization via enableDefaultTyping(...), therefore candlepin should not be affected.