https://bugzilla.redhat.com/show_bug.cgi?id=1713468
Bug ID: 1713468
Summary: CVE-2019-12086 jackson-databind: polymorphic typing
issue allows attacker to read arbitrary local files on
the server.
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Whiteboard: impact=moderate,public=20190514,reported=20190518,sour
ce=cve,cvss3=7.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/
I:N/A:N,cwe=CWE-502->CWE-200,fuse-6/jackson-databind=n
ew,fuse-7/jackson-databind=new,eap-7/jackson-databind=
new,rhdm-7/jackson-databind=new,rhpam-7/jackson-databi
nd=new,rhscl-3/rh-maven35-jackson-databind=new,openshi
ft-enterprise-3/jackson-databind=new,rhn_satellite_6/j
ackson-databind=new,vertx-3/jackson-databind=new,rhsso
-7/jackson-databind=new,rhmap-4/jackson-databind=new,b
pms-6/jackson-databind=new,swarm-7/jackson-databind=ne
w,amq-6/jackson-databind=new,amq-st/jackson-databind=n
ew,fedora-all/jackson-databind=affected,rhel-8/pki-dep
s:10.6/jackson-databind=new,openstack-10/opendaylight=
new,openstack-13/opendaylight=new,openstack-14/openday
light=new,openstack-8/opendaylight=new,openstack-9/ope
ndaylight=new
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: msiddiqu(a)redhat.com
CC: ahardin(a)redhat.com, aileenc(a)redhat.com,
akoufoud(a)redhat.com, alazarot(a)redhat.com,
almorale(a)redhat.com, anstephe(a)redhat.com,
ataylor(a)redhat.com, avibelli(a)redhat.com,
bbuckingham(a)redhat.com, bcourt(a)redhat.com,
bgeorges(a)redhat.com, bkearney(a)redhat.com,
bleanhar(a)redhat.com, bmaxwell(a)redhat.com,
btotty(a)redhat.com, cbyrne(a)redhat.com,
ccoleman(a)redhat.com, cdewolf(a)redhat.com,
chazlett(a)redhat.com, cmacedo(a)redhat.com,
csutherl(a)redhat.com, darran.lofthouse(a)redhat.com,
dbecker(a)redhat.com, dedgar(a)redhat.com,
dffrench(a)redhat.com, dosoudil(a)redhat.com,
drieden(a)redhat.com, drusso(a)redhat.com,
eparis(a)redhat.com, etirelli(a)redhat.com,
hhorak(a)redhat.com, hhudgeon(a)redhat.com,
ibek(a)redhat.com, janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jawilson(a)redhat.com, jbalunas(a)redhat.com,
jgoulding(a)redhat.com, jjoyce(a)redhat.com,
jkurik(a)redhat.com, jmadigan(a)redhat.com,
jochrist(a)redhat.com, jokerman(a)redhat.com,
jorton(a)redhat.com, jpallich(a)redhat.com,
jschluet(a)redhat.com, jshepherd(a)redhat.com,
kbasil(a)redhat.com, krathod(a)redhat.com,
kverlaen(a)redhat.com, lef(a)fedoraproject.org,
lgao(a)redhat.com, lhh(a)redhat.com, lpeer(a)redhat.com,
lpetrovi(a)redhat.com, lthon(a)redhat.com,
lzap(a)redhat.com, mat.booth(a)redhat.com,
mburns(a)redhat.com, mchappel(a)redhat.com,
mhulan(a)redhat.com, mkolesni(a)redhat.com,
mmccune(a)redhat.com, mnovotny(a)redhat.com,
mszynkie(a)redhat.com, ngough(a)redhat.com,
paradhya(a)redhat.com, pdrozd(a)redhat.com,
pgallagh(a)redhat.com, pgier(a)redhat.com,
ppenicka(a)redhat.com, psakar(a)redhat.com,
pslavice(a)redhat.com, psotirop(a)redhat.com,
puntogil(a)libero.it, pwright(a)redhat.com,
rchan(a)redhat.com, rhcs-maint(a)redhat.com,
rjerrido(a)redhat.com, rnetuka(a)redhat.com,
rrajasek(a)redhat.com, rruss(a)redhat.com,
rsvoboda(a)redhat.com, rsynek(a)redhat.com,
sclewis(a)redhat.com, scohen(a)redhat.com,
sdaley(a)redhat.com, slinaber(a)redhat.com,
sthorger(a)redhat.com, tbrisker(a)redhat.com,
tom.jenkinson(a)redhat.com, trepel(a)redhat.com,
trogers(a)redhat.com, twalsh(a)redhat.com,
vtunka(a)redhat.com
Target Milestone: ---
Classification: Other
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x
before 2.9.9. When Default Typing is enabled (either globally or for a specific
property) for an externally exposed JSON endpoint, the service has the
mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker
can host a crafted MySQL server reachable by the victim, an attacker can send a
crafted JSON message that allows them to read arbitrary local files on the
server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin
validation.
Upstream patch:
https://github.com/FasterXML/jackson-databind/commit/dda513bd7251b4f32b7b...
Upstream issue:
https://github.com/FasterXML/jackson-databind/issues/2326
References:
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9
https://issues.jboss.org/browse/RESTEASY-2248
http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-...
--
You are receiving this mail because:
You are on the CC list for the bug.