[Bug 1755831] New: CVE-2019-16335 jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariDataSource
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
Bug ID: 1755831 Summary: CVE-2019-16335 jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariDataSource Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: darunesh@redhat.com CC: ahardin@redhat.com, aileenc@redhat.com, akoufoud@redhat.com, alazarot@redhat.com, almorale@redhat.com, anstephe@redhat.com, asoldano@redhat.com, atangrin@redhat.com, ataylor@redhat.com, avibelli@redhat.com, bbaranow@redhat.com, bbuckingham@redhat.com, bcourt@redhat.com, bgeorges@redhat.com, bkearney@redhat.com, bleanhar@redhat.com, bmaxwell@redhat.com, brian.stansberry@redhat.com, btotty@redhat.com, cbyrne@redhat.com, ccoleman@redhat.com, cdewolf@redhat.com, chazlett@redhat.com, cmacedo@redhat.com, darran.lofthouse@redhat.com, dbecker@redhat.com, decathorpe@gmail.com, dedgar@redhat.com, dffrench@redhat.com, dosoudil@redhat.com, drieden@redhat.com, drusso@redhat.com, eparis@redhat.com, etirelli@redhat.com, ganandan@redhat.com, ggaughan@redhat.com, hhorak@redhat.com, hhudgeon@redhat.com, ibek@redhat.com, iweiss@redhat.com, janstey@redhat.com, java-sig-commits@lists.fedoraproject.org, jawilson@redhat.com, jbalunas@redhat.com, jgoulding@redhat.com, jjoyce@redhat.com, jmadigan@redhat.com, jochrist@redhat.com, jokerman@redhat.com, jolee@redhat.com, jorton@redhat.com, jpallich@redhat.com, jperkins@redhat.com, jschatte@redhat.com, jschluet@redhat.com, jshepherd@redhat.com, jstastny@redhat.com, kbasil@redhat.com, krathod@redhat.com, kverlaen@redhat.com, kwills@redhat.com, lef@fedoraproject.org, lgao@redhat.com, lhh@redhat.com, lpeer@redhat.com, lthon@redhat.com, lzap@redhat.com, mat.booth@redhat.com, mburns@redhat.com, mchappel@redhat.com, mkolesni@redhat.com, mmccune@redhat.com, mnovotny@redhat.com, msochure@redhat.com, msvehla@redhat.com, mszynkie@redhat.com, ngough@redhat.com, nstielau@redhat.com, nwallace@redhat.com, paradhya@redhat.com, pdrozd@redhat.com, pgallagh@redhat.com, pmackay@redhat.com, psotirop@redhat.com, puntogil@libero.it, pwright@redhat.com, rchan@redhat.com, rguimara@redhat.com, rhcs-maint@redhat.com, rjerrido@redhat.com, rrajasek@redhat.com, rruss@redhat.com, rsvoboda@redhat.com, rsynek@redhat.com, sclewis@redhat.com, scohen@redhat.com, sdaley@redhat.com, slinaber@redhat.com, smaestri@redhat.com, stewardship-sig@lists.fedoraproject.org, sthorger@redhat.com, swoodman@redhat.com, tbrisker@redhat.com, tom.jenkinson@redhat.com, trepel@redhat.com, trogers@redhat.com, twalsh@redhat.com, vhalbert@redhat.com Target Milestone: --- Classification: Other
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
Reference: https://github.com/FasterXML/jackson-databind/issues/2449 https://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4c... https://lists.apache.org/thread.html/40c00861b53bb611dee7d6f35f864aa7d1c1bd7...
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
Dhananjay Arunesh darunesh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1755832
--- Comment #1 from Dhananjay Arunesh darunesh@redhat.com --- Created jackson-databind tracking bugs for this issue:
Affects: fedora-all [bug 1755832]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1755832 [Bug 1755832] CVE-2019-16335 jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariDataSource [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
Dhananjay Arunesh darunesh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1755833 Fixed In Version| |jackson-databind 2.9.10
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
--- Comment #2 from Joshua Padman jpadman@redhat.com --- Statement:
Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
--- Comment #3 from Nick Tait ntait@redhat.com --- Identical feedback as on http://127.0.0.1:5600/static/#/flaw/1755849. Statement has some duplicated info due to SFM2 appending a default statement on the CVE page
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
Summer Long slong@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |slong@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
--- Comment #4 from Doran Moppert dmoppert@redhat.com --- Mitigation:
This vulnerability relies on com.zaxxer.hikari.HikariDataSource being present in the application's ClassPath. logback-core is not packaged as an RPM for Red Hat Enterprise Linux or Red Hat Software Collections. Applications using jackson-databind that do not also use com.zaxxer.hikari are not impacted by this vulnerability.
A mitigation to this class of problem in jackson-databind is to not trigger polymorphic desrialization globally by using: objectMapper.enableDefaultTyping() and rather use @JsonTypeInfo on the class property to explicitly define the type information. For more information on this issue please refer to https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=tr...
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
--- Comment #5 from Doran Moppert dmoppert@redhat.com --- Mitigation:
This vulnerability relies on com.zaxxer.hikari.HikariDataSource being present in the application's ClassPath. Hikari is not packaged as an RPM for Red Hat Enterprise Linux or Red Hat Software Collections. Applications using jackson-databind that do not also use com.zaxxer.hikari are not impacted by this vulnerability.
A mitigation to this class of problem in jackson-databind is to not trigger polymorphic desrialization globally by using: objectMapper.enableDefaultTyping() and rather use @JsonTypeInfo on the class property to explicitly define the type information. For more information on this issue please refer to https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=tr...
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
--- Comment #6 from Riccardo Schirone rschiron@redhat.com --- Upstream patch: https://github.com/FasterXML/jackson-databind/commit/73c1c2cc76e6cdd7f3a5615...
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
Riccardo Schirone rschiron@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1760279, 1760278
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
--- Comment #8 from Cedric Buissart 🐶 cbuissar@redhat.com --- Statement:
Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.
Satellite 6 does not enable polymorphic unmarshmalling, which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.
https://bugzilla.redhat.com/show_bug.cgi?id=1755831 Bug 1755831 depends on bug 1755832, which changed state.
Bug 1755832 Summary: CVE-2019-16335 jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariDataSource [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1755832
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1762564, 1762569, 1762566, | |1762572, 1762568, 1762570, | |1762567, 1762571
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
--- Comment #12 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss AMQ
Via RHSA-2019:3200 https://access.redhat.com/errata/RHSA-2019:3200
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2019:3200
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2019-10-24 12:51:20
--- Comment #13 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2019-16335
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
--- Comment #14 from Paramvir jindal pjindal@redhat.com --- Marking RHSSO as affected fix because the fix version seems to be jackson-databind 2.9.10 and RHSSO 7.3.4 (latest as of today) ships jackson-databind-2.9.9.3-redhat-00001.jar.
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
Jeff Cantrill jcantril@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1781719
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
--- Comment #20 from Paramvir jindal pjindal@redhat.com --- JDG 7.3.4 ships jackson-databind-2.9.9.3-redhat-00001.jar which seems to be affected hence creating tracker for it :
JDG/modules/system/add-ons/jdg/.overlays/layer-jdg-jboss-jdg-7.3.4.CP/com/fasterxml/jackson/core/jackson-databind/jdg-7.3/jackson-databind-2.9.9.3-redhat-00001.jar
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
--- Comment #23 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform
Via RHSA-2020:0164 https://access.redhat.com/errata/RHSA-2020:0164
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0164
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
--- Comment #24 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6
Via RHSA-2020:0159 https://access.redhat.com/errata/RHSA-2020:0159
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0159
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
--- Comment #25 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8
Via RHSA-2020:0161 https://access.redhat.com/errata/RHSA-2020:0161
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0161
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
--- Comment #26 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7
Via RHSA-2020:0160 https://access.redhat.com/errata/RHSA-2020:0160
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0160
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
--- Comment #27 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Single Sign-On
Via RHSA-2020:0445 https://access.redhat.com/errata/RHSA-2020:0445
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0445
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
--- Doc Text *updated* by Jonathan Christison jochrist@redhat.com --- A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the HikariDataSource gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
--- Comment #28 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Data Grid 7.3.5
Via RHSA-2020:0729 https://access.redhat.com/errata/RHSA-2020:0729
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0729
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
--- Comment #29 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Process Automation
Via RHSA-2020:0895 https://access.redhat.com/errata/RHSA-2020:0895
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0895
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
--- Comment #30 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Decision Manager
Via RHSA-2020:0899 https://access.redhat.com/errata/RHSA-2020:0899
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0899
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
Tomas Hoger thoger@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|CVE-2019-16335 |CVE-2019-16335 |jackson-databind: |jackson-databind: |polymorphic typing issue |Serialization gadgets in |related to |com.zaxxer.hikari.HikariDat |com.zaxxer.hikari.HikariDat |aSource |aSource |
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
--- Comment #31 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2020:1644 https://access.redhat.com/errata/RHSA-2020:1644
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:1644
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
--- Comment #33 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Openshift Application Runtimes
Via RHSA-2020:2067 https://access.redhat.com/errata/RHSA-2020:2067
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:2067
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
--- Comment #34 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
EAP-CD 19 Tech Preview
Via RHSA-2020:2333 https://access.redhat.com/errata/RHSA-2020:2333
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:2333
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
--- Comment #35 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Fuse 7.7.0
Via RHSA-2020:3192 https://access.redhat.com/errata/RHSA-2020:3192
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:3192
https://bugzilla.redhat.com/show_bug.cgi?id=1755831
--- Comment #37 from Jason Shepherd jshepherd@redhat.com --- Statement:
Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.
Satellite 6 does not enable polymorphic unmarshmalling, which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.
While OpenShift Container Platform's elasticsearch plugins do ship the vulnerable component, it doesn't do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.
java-sig-commits@lists.fedoraproject.org
-
bugzilla@redhat.com