[Bug 1758171] New: jackson-databind: Serialization gadgets in classes of the commons-configuration package
https://bugzilla.redhat.com/show_bug.cgi?id=1758171
Bug ID: 1758171 Summary: jackson-databind: Serialization gadgets in classes of the commons-configuration package Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: psampaio@redhat.com CC: aileenc@redhat.com, akoufoud@redhat.com, alazarot@redhat.com, almorale@redhat.com, anstephe@redhat.com, asoldano@redhat.com, atangrin@redhat.com, ataylor@redhat.com, avibelli@redhat.com, bbaranow@redhat.com, bbuckingham@redhat.com, bcourt@redhat.com, bgeorges@redhat.com, bkearney@redhat.com, bmaxwell@redhat.com, bmontgom@redhat.com, brian.stansberry@redhat.com, btotty@redhat.com, cbyrne@redhat.com, cdewolf@redhat.com, chazlett@redhat.com, cmacedo@redhat.com, darran.lofthouse@redhat.com, dbecker@redhat.com, decathorpe@gmail.com, dffrench@redhat.com, dosoudil@redhat.com, drieden@redhat.com, drusso@redhat.com, eparis@redhat.com, etirelli@redhat.com, ganandan@redhat.com, ggaughan@redhat.com, hhorak@redhat.com, hhudgeon@redhat.com, ibek@redhat.com, iweiss@redhat.com, janstey@redhat.com, java-sig-commits@lists.fedoraproject.org, jawilson@redhat.com, jbalunas@redhat.com, jburrell@redhat.com, jjoyce@redhat.com, jmadigan@redhat.com, jochrist@redhat.com, jokerman@redhat.com, jolee@redhat.com, jorton@redhat.com, jpallich@redhat.com, jperkins@redhat.com, jschatte@redhat.com, jschluet@redhat.com, jshepherd@redhat.com, jstastny@redhat.com, kbasil@redhat.com, krathod@redhat.com, kverlaen@redhat.com, kwills@redhat.com, lef@fedoraproject.org, lgao@redhat.com, lhh@redhat.com, lpeer@redhat.com, lthon@redhat.com, lzap@redhat.com, mat.booth@redhat.com, mburns@redhat.com, mkolesni@redhat.com, mmccune@redhat.com, mnovotny@redhat.com, msochure@redhat.com, msvehla@redhat.com, mszynkie@redhat.com, ngough@redhat.com, nstielau@redhat.com, nwallace@redhat.com, paradhya@redhat.com, pdrozd@redhat.com, pgallagh@redhat.com, pmackay@redhat.com, psotirop@redhat.com, puntogil@libero.it, pwright@redhat.com, rchan@redhat.com, rguimara@redhat.com, rhcs-maint@redhat.com, rjerrido@redhat.com, rrajasek@redhat.com, rruss@redhat.com, rsvoboda@redhat.com, rsynek@redhat.com, sclewis@redhat.com, scohen@redhat.com, sdaley@redhat.com, slinaber@redhat.com, smaestri@redhat.com, sponnaga@redhat.com, stewardship-sig@lists.fedoraproject.org, sthorger@redhat.com, swoodman@redhat.com, tbrisker@redhat.com, tom.jenkinson@redhat.com, trepel@redhat.com, trogers@redhat.com, twalsh@redhat.com, vhalbert@redhat.com Target Milestone: --- Classification: Other
A flaw was found in jackson-databind before 2.9.10. New serialization gadgets were found regarding a class of the commons-configuration 1 and commons-configuration 2 packages which may help in exploiting deserialization issues.
Upstream issue:
https://github.com/FasterXML/jackson-databind/issues/2462
Upstream patch:
https://github.com/FasterXML/jackson-databind/commit/41b7f9b90149e9d44a65a82... https://github.com/FasterXML/jackson-databind/commit/819cdbcab51c6da9fb89638...
References:
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you...
https://bugzilla.redhat.com/show_bug.cgi?id=1758171
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1758172
--- Comment #1 from Pedro Sampaio psampaio@redhat.com --- Created jackson-databind tracking bugs for this issue:
Affects: fedora-all [bug 1758172]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1758172 [Bug 1758172] jackson-databind: Serialization gadgets in classes of the commons-configuration package [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1758171
--- Comment #2 from Cedric Buissart 🐶 cbuissar@redhat.com --- Statement:
Satellite 6 does not enable polymorphic unmarshmalling, which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.
https://bugzilla.redhat.com/show_bug.cgi?id=1758171 Bug 1758171 depends on bug 1758172, which changed state.
Bug 1758172 Summary: jackson-databind: Serialization gadgets in classes of the commons-configuration package [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1758172
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1758171
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1762564, 1762569, 1762572, | |1762571, 1762568, 1762570, | |1762567, 1762566
https://bugzilla.redhat.com/show_bug.cgi?id=1758171
Riccardo Schirone rschiron@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1765103, 1765104
https://bugzilla.redhat.com/show_bug.cgi?id=1758171
Jonathan Christison jochrist@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |jackson-databind 2.9.10, | |jackson-databind 2.6.7.3
https://bugzilla.redhat.com/show_bug.cgi?id=1758171
Marian Rehak mrehak@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|jackson-databind: |CVE-2019-14892 |Serialization gadgets in |jackson-databind: |classes of the |Serialization gadgets in |commons-configuration |classes of the |package |commons-configuration | |package Alias| |CVE-2019-14892
https://bugzilla.redhat.com/show_bug.cgi?id=1758171
--- Comment #13 from Kunjan Rathod krathod@redhat.com --- This vulnerability is out of security support scope for the following products: * Red Hat JBoss BPMS 6 * Red Hat JBoss Data Virtualization & Services 6
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
https://bugzilla.redhat.com/show_bug.cgi?id=1758171
Jeff Cantrill jcantril@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1781719
https://bugzilla.redhat.com/show_bug.cgi?id=1758171
--- Comment #18 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform
Via RHSA-2020:0164 https://access.redhat.com/errata/RHSA-2020:0164
https://bugzilla.redhat.com/show_bug.cgi?id=1758171
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0164
https://bugzilla.redhat.com/show_bug.cgi?id=1758171
--- Comment #19 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6
Via RHSA-2020:0159 https://access.redhat.com/errata/RHSA-2020:0159
https://bugzilla.redhat.com/show_bug.cgi?id=1758171
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0159
https://bugzilla.redhat.com/show_bug.cgi?id=1758171
--- Comment #20 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8
Via RHSA-2020:0161 https://access.redhat.com/errata/RHSA-2020:0161
https://bugzilla.redhat.com/show_bug.cgi?id=1758171
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0161
https://bugzilla.redhat.com/show_bug.cgi?id=1758171
--- Comment #21 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7
Via RHSA-2020:0160 https://access.redhat.com/errata/RHSA-2020:0160
https://bugzilla.redhat.com/show_bug.cgi?id=1758171
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0160
https://bugzilla.redhat.com/show_bug.cgi?id=1758171
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2020-01-21 08:09:43
--- Comment #22 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2019-14892
https://bugzilla.redhat.com/show_bug.cgi?id=1758171
--- Comment #24 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Single Sign-On
Via RHSA-2020:0445 https://access.redhat.com/errata/RHSA-2020:0445
https://bugzilla.redhat.com/show_bug.cgi?id=1758171
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0445
https://bugzilla.redhat.com/show_bug.cgi?id=1758171
--- Doc Text *updated* by Chess Hazlett chazlett@redhat.com --- A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.
https://bugzilla.redhat.com/show_bug.cgi?id=1758171
--- Comment #25 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Data Grid 7.3.5
Via RHSA-2020:0729 https://access.redhat.com/errata/RHSA-2020:0729
https://bugzilla.redhat.com/show_bug.cgi?id=1758171
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0729
https://bugzilla.redhat.com/show_bug.cgi?id=1758171
--- Comment #26 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Process Automation
Via RHSA-2020:0895 https://access.redhat.com/errata/RHSA-2020:0895
https://bugzilla.redhat.com/show_bug.cgi?id=1758171
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0895
https://bugzilla.redhat.com/show_bug.cgi?id=1758171
--- Comment #27 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Decision Manager
Via RHSA-2020:0899 https://access.redhat.com/errata/RHSA-2020:0899
https://bugzilla.redhat.com/show_bug.cgi?id=1758171
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0899
https://bugzilla.redhat.com/show_bug.cgi?id=1758171
--- Comment #29 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Openshift Application Runtimes
Via RHSA-2020:2067 https://access.redhat.com/errata/RHSA-2020:2067
https://bugzilla.redhat.com/show_bug.cgi?id=1758171
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:2067
https://bugzilla.redhat.com/show_bug.cgi?id=1758171
--- Comment #30 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
EAP-CD 19 Tech Preview
Via RHSA-2020:2333 https://access.redhat.com/errata/RHSA-2020:2333
https://bugzilla.redhat.com/show_bug.cgi?id=1758171
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:2333
https://bugzilla.redhat.com/show_bug.cgi?id=1758171
--- Comment #31 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Fuse 7.7.0
Via RHSA-2020:3192 https://access.redhat.com/errata/RHSA-2020:3192
https://bugzilla.redhat.com/show_bug.cgi?id=1758171
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:3192
https://bugzilla.redhat.com/show_bug.cgi?id=1758171
--- Comment #33 from Jason Shepherd jshepherd@redhat.com --- Statement:
Satellite 6 does not enable polymorphic unmarshmalling, which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.
Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.
While OpenShift Container Platform's elasticsearch plugins do ship the vulnerable component, it doesn't do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.
java-sig-commits@lists.fedoraproject.org
-
bugzilla@redhat.com