https://bugzilla.redhat.com/show_bug.cgi?id=1775293
Bug ID: 1775293 Summary: cve jackson-databind: default typing leads to code execution Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: darunesh@redhat.com CC: aboyko@redhat.com, aileenc@redhat.com, akoufoud@redhat.com, alazarot@redhat.com, almorale@redhat.com, anstephe@redhat.com, asoldano@redhat.com, atangrin@redhat.com, ataylor@redhat.com, avibelli@redhat.com, bbaranow@redhat.com, bbuckingham@redhat.com, bcourt@redhat.com, bgeorges@redhat.com, bkearney@redhat.com, bmaxwell@redhat.com, bmontgom@redhat.com, brian.stansberry@redhat.com, btotty@redhat.com, cbyrne@redhat.com, cdewolf@redhat.com, chazlett@redhat.com, cmacedo@redhat.com, darran.lofthouse@redhat.com, decathorpe@gmail.com, dffrench@redhat.com, dkreling@redhat.com, dosoudil@redhat.com, drieden@redhat.com, drusso@redhat.com, eparis@redhat.com, etirelli@redhat.com, ganandan@redhat.com, ggaughan@redhat.com, hhorak@redhat.com, hhudgeon@redhat.com, ibek@redhat.com, iweiss@redhat.com, janstey@redhat.com, java-sig-commits@lists.fedoraproject.org, jawilson@redhat.com, jbalunas@redhat.com, jburrell@redhat.com, jmadigan@redhat.com, jochrist@redhat.com, jokerman@redhat.com, jorton@redhat.com, jpallich@redhat.com, jperkins@redhat.com, jshepherd@redhat.com, jstastny@redhat.com, krathod@redhat.com, kverlaen@redhat.com, kwills@redhat.com, lef@fedoraproject.org, lgao@redhat.com, lthon@redhat.com, lzap@redhat.com, mat.booth@redhat.com, mmccune@redhat.com, mnovotny@redhat.com, msochure@redhat.com, msvehla@redhat.com, mszynkie@redhat.com, ngough@redhat.com, nstielau@redhat.com, nwallace@redhat.com, paradhya@redhat.com, pdrozd@redhat.com, pgallagh@redhat.com, pmackay@redhat.com, psotirop@redhat.com, puntogil@libero.it, pwright@redhat.com, rchan@redhat.com, rguimara@redhat.com, rhcs-maint@redhat.com, rjerrido@redhat.com, rrajasek@redhat.com, rruss@redhat.com, rsvoboda@redhat.com, rsynek@redhat.com, sdaley@redhat.com, smaestri@redhat.com, sokeeffe@redhat.com, sponnaga@redhat.com, stewardship-sig@lists.fedoraproject.org, sthorger@redhat.com, swoodman@redhat.com, tbrisker@redhat.com, tom.jenkinson@redhat.com, trepel@redhat.com, trogers@redhat.com, twalsh@redhat.com Target Milestone: --- Classification: Other
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.
Reference: https://github.com/FasterXML/jackson-databind/issues/2498
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
Dhananjay Arunesh darunesh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|cve jackson-databind: |cve jackson-databind: |default typing leads to |enabling default typing |code execution |leads to code execution
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
Dhananjay Arunesh darunesh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1775297 Summary|cve jackson-databind: |CVE-2019-17531 cve |enabling default typing |jackson-databind: enabling |leads to code execution |default typing leads to | |code execution Alias|cve |CVE-2019-17531
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
Dhananjay Arunesh darunesh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1775300
--- Comment #1 from Dhananjay Arunesh darunesh@redhat.com --- Created jackson-databind tracking bugs for this issue:
Affects: fedora-all [bug 1775300]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1775300 [Bug 1775300] CVE-2019-17531 jackson-databind: cve jackson-databind: enabling default typing leads to code execution [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
Tomas Hoger thoger@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|CVE-2019-17531 cve |CVE-2019-17531 |jackson-databind: enabling |jackson-databind: enabling |default typing leads to |default typing leads to |code execution |code execution
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
Kunjan Rathod krathod@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks|1775297 |
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
Paramvir jindal pjindal@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1775297
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
--- Comment #3 from Paramvir jindal pjindal@redhat.com --- Marked RHSSO as affected fix because the fix version seems to be jackson-databind 2.9.10 and RHSSO 7.3.4 (latest as of today) ships jackson-databind-2.9.9.3-redhat-00001.jar.
rhsso-7.3/modules/system/layers/base/.overlays/layer-base-rh-sso-7.3.4.CP/com/fasterxml/jackson/core/jackson-databind/main/jackson-databind-2.9.9.3-redhat-00001.jar
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
--- Comment #5 from Riccardo Schirone rschiron@redhat.com --- Upstream patch: https://github.com/FasterXML/jackson-databind/commit/b5a304a98590b6bb766134f...
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
Jonathan Christison jochrist@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |jackson-databind 2.9.10.1, | |jackson-databind 2.6.7.3
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1776548, 1776546, 1776545, | |1776544
https://bugzilla.redhat.com/show_bug.cgi?id=1775293 Bug 1775293 depends on bug 1775300, which changed state.
Bug 1775300 Summary: CVE-2019-17531 jackson-databind: enabling default typing leads to code execution [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1775300
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |EOL
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
Kunjan Rathod krathod@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|CVE-2019-17531 |CVE-2019-17531 |jackson-databind: enabling |jackson-databind: |default typing leads to |polymorphic typing issue |code execution |when enabling default | |typing for an externally | |exposed JSON endpoint and | |having apache-log4j-extra | |in the classpath leads to | |code execution
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
Riccardo Schirone rschiron@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1777744, 1777745, 1777746, | |1777747
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
Kunjan Rathod krathod@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|high |medium Severity|high |medium
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
--- Comment #17 from Chess Hazlett chazlett@redhat.com --- Thorntail is affected: rhoar_thorntail:2.5.0/jackson-databind/2.9.9.3-redhat-00001/jackson-databind-2.9.9.3-redhat-00001.jar Vertx is notaffected: rhoar_vertx:3.8.3/jackson-databind/2.10.0.redhat-00001/jackson-databind-2.10.0.redhat-00001.jar
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
--- Comment #18 from Cedric Buissart 🐶 cbuissar@redhat.com --- Statement:
Satellite 6 does not enable polymorphic unmarshmalling, which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
Branislav Náter bnater@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- QA Contact| |mkyral@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
--- Comment #21 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS
Via RHSA-2019:4192 https://access.redhat.com/errata/RHSA-2019:4192
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2019:4192
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2019-12-10 19:24:07
--- Comment #22 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2019-17531
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
--- Comment #26 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform
Via RHSA-2020:0164 https://access.redhat.com/errata/RHSA-2020:0164
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0164
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
--- Comment #27 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6
Via RHSA-2020:0159 https://access.redhat.com/errata/RHSA-2020:0159
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0159
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
--- Comment #28 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8
Via RHSA-2020:0161 https://access.redhat.com/errata/RHSA-2020:0161
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0161
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
--- Comment #29 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7
Via RHSA-2020:0160 https://access.redhat.com/errata/RHSA-2020:0160
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0160
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
--- Comment #30 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Single Sign-On
Via RHSA-2020:0445 https://access.redhat.com/errata/RHSA-2020:0445
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0445
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
--- Doc Text *updated* by Jonathan Christison jochrist@redhat.com --- A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the log4j-extra gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
--- Comment #31 from Jonathan Christison jochrist@redhat.com --- Mitigation:
The following conditions are needed for an exploit, we recommend avoiding all if possible * Deserialization from sources you do not control * `enableDefaultTyping()` * `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
--- Comment #32 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Process Automation
Via RHSA-2020:0895 https://access.redhat.com/errata/RHSA-2020:0895
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0895
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
--- Comment #33 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Decision Manager
Via RHSA-2020:0899 https://access.redhat.com/errata/RHSA-2020:0899
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0899
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
--- Comment #34 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss AMQ
Via RHSA-2020:0939 https://access.redhat.com/errata/RHSA-2020:0939
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0939
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
Tomas Hoger thoger@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|CVE-2019-17531 |CVE-2019-17531 |jackson-databind: |jackson-databind: |polymorphic typing issue |Serialization gadgets in |when enabling default |org.apache.log4j.receivers. |typing for an externally |db.* |exposed JSON endpoint and | |having apache-log4j-extra | |in the classpath leads to | |code execution |
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
--- Comment #35 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2020:1644 https://access.redhat.com/errata/RHSA-2020:1644
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:1644
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
--- Comment #36 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Openshift Application Runtimes
Via RHSA-2020:2067 https://access.redhat.com/errata/RHSA-2020:2067
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:2067
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
--- Comment #37 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
EAP-CD 19 Tech Preview
Via RHSA-2020:2333 https://access.redhat.com/errata/RHSA-2020:2333
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:2333
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
--- Comment #38 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Fuse 7.7.0
Via RHSA-2020:3192 https://access.redhat.com/errata/RHSA-2020:3192
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:3192
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|medium |high Severity|medium |high
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
--- Comment #40 from Jason Shepherd jshepherd@redhat.com --- Statement:
Satellite 6 does not enable polymorphic unmarshmalling, which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.
Red Hat OpenShift Container Platform does ship the vulnerable component, but does not enable the unsafe conditions needed to exploit, lowering their vulnerability impact.
java-sig-commits@lists.fedoraproject.org