[Bug 1913937] New: CVE-2020-36189 jackson-databind: mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource
https://bugzilla.redhat.com/show_bug.cgi?id=1913937
Bug ID: 1913937 Summary: CVE-2020-36189 jackson-databind: mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverM anagerConnectionSource Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: gsuckevi@redhat.com CC: aboyko@redhat.com, aileenc@redhat.com, akoufoud@redhat.com, alazarot@redhat.com, almorale@redhat.com, anstephe@redhat.com, aos-bugs@redhat.com, asoldano@redhat.com, atangrin@redhat.com, ataylor@redhat.com, avibelli@redhat.com, bbaranow@redhat.com, bbuckingham@redhat.com, bcourt@redhat.com, bgeorges@redhat.com, bibryam@redhat.com, bkearney@redhat.com, bmaxwell@redhat.com, bmontgom@redhat.com, brian.stansberry@redhat.com, btofel@redhat.com, btotty@redhat.com, cdewolf@redhat.com, chazlett@redhat.com, clement.escoffier@redhat.com, dandread@redhat.com, darran.lofthouse@redhat.com, dbecker@redhat.com, decathorpe@gmail.com, dkreling@redhat.com, dosoudil@redhat.com, drieden@redhat.com, eleandro@redhat.com, eparis@redhat.com, eric.wittmann@redhat.com, etirelli@redhat.com, ganandan@redhat.com, ggaughan@redhat.com, gmalinko@redhat.com, gsmet@redhat.com, gvarsami@redhat.com, hamadhan@redhat.com, hbraun@redhat.com, hhudgeon@redhat.com, ibek@redhat.com, iweiss@redhat.com, janstey@redhat.com, java-maint-sig@lists.fedoraproject.org, java-sig-commits@lists.fedoraproject.org, jawilson@redhat.com, jburrell@redhat.com, jcantril@redhat.com, jcoleman@redhat.com, jjoyce@redhat.com, jochrist@redhat.com, jokerman@redhat.com, jolee@redhat.com, jpallich@redhat.com, jperkins@redhat.com, jross@redhat.com, jschatte@redhat.com, jschluet@redhat.com, jstastny@redhat.com, jwon@redhat.com, kaycoth@redhat.com, kconner@redhat.com, krathod@redhat.com, kverlaen@redhat.com, kwills@redhat.com, ldimaggi@redhat.com, lef@fedoraproject.org, lgao@redhat.com, lhh@redhat.com, lpeer@redhat.com, lthon@redhat.com, lzap@redhat.com, mburns@redhat.com, mkolesni@redhat.com, mmccune@redhat.com, mnovotny@redhat.com, msochure@redhat.com, msvehla@redhat.com, mszynkie@redhat.com, nmoumoul@redhat.com, nstielau@redhat.com, nwallace@redhat.com, pantinor@redhat.com, pdrozd@redhat.com, pgallagh@redhat.com, pjindal@redhat.com, pmackay@redhat.com, probinso@redhat.com, puntogil@libero.it, rchan@redhat.com, rguimara@redhat.com, rhcs-maint@redhat.com, rjerrido@redhat.com, rrajasek@redhat.com, rruss@redhat.com, rstancel@redhat.com, rsvoboda@redhat.com, rsynek@redhat.com, rwagner@redhat.com, sbiarozk@redhat.com, sclewis@redhat.com, scohen@redhat.com, sdaley@redhat.com, sd-operator-metering@redhat.com, sdouglas@redhat.com, slinaber@redhat.com, smaestri@redhat.com, sokeeffe@redhat.com, sponnaga@redhat.com, sthorger@redhat.com, swoodman@redhat.com, tbrisker@redhat.com, tcunning@redhat.com, tkirby@redhat.com, tom.jenkinson@redhat.com, vhalbert@redhat.com Target Milestone: --- Classification: Other
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.
Reference: https://github.com/FasterXML/jackson-databind/issues/2996
https://bugzilla.redhat.com/show_bug.cgi?id=1913937
Guilherme de Almeida Suckevicz gsuckevi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1913942
https://bugzilla.redhat.com/show_bug.cgi?id=1913937
Mark Cooper mcooper@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |jackson-databind 2.9.10.8
https://bugzilla.redhat.com/show_bug.cgi?id=1913937
--- Doc Text *updated* by Mark Cooper mcooper@redhat.com --- A flaw was found in jackson-databind. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
https://bugzilla.redhat.com/show_bug.cgi?id=1913937
Mark Cooper mcooper@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1882683, 1882679, 1882681, | |1882680
https://bugzilla.redhat.com/show_bug.cgi?id=1913937
Florencio Cano fcanogab@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1914130, 1914131
https://bugzilla.redhat.com/show_bug.cgi?id=1913937
--- Comment #3 from Przemyslaw Roguski proguski@redhat.com --- Statement:
The following Red Hat products do ship the vulnerable component, but do not enable the unsafe conditions needed to exploit, lowering their vulnerability impact: * JBoss Data Grid 7 * Business Process Management Suite 6 * Business Rules Management Suite 6 * JBoss Data Virtualization 6 * Red Hat Fuse Service Works 6 * Red Hat OpenStack Platform * Red Hat OpenShift containers: ose-metering-hadoop, ose-metering-hive, ose-logging-elasticsearch5, ose-logging-elasticsearch6 These products may update the jackson-databind dependency in a future release.
In Red Hat Openshift 4 there are no plans to maintain the ose-logging-elasticsearch5 container, hence it has been marked wontfix at this time and may be fixed in a future update.
The following Red Hat products ship OpenDaylight, which contains the vulnerable jackson-databind, but do not expose jackson-databind in a way that would make it exploitable * Red Hat OpenStack Platform 13 As such, Red Hat will not be providing a fix for OpenDaylight at this time.
The following Red Hat products are not affected by this flaw because they use a more recent version of jackson-databind that does not contain the vulnerable code: * CodeReady Studio 12.16.0 * Red Hat Enterprise Linux 8 * Red Hat Enterprise Virtualization * Red Hat Satellite 6 * Red Hat OpenShift container: ose-metering-presto
https://bugzilla.redhat.com/show_bug.cgi?id=1913937
--- Comment #4 from Przemyslaw Roguski proguski@redhat.com --- Mitigation:
The following conditions are needed for an exploit, we recommend avoiding all if possible: * Deserialization from sources you do not control * `enableDefaultTyping()` * `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS` * avoid: oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS, org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS, org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS, org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS, org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool, org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource, org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource, org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource, org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource, com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource, com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource in the classpath
https://bugzilla.redhat.com/show_bug.cgi?id=1913937
--- Comment #6 from Przemyslaw Roguski proguski@redhat.com --- External References:
https://github.com/FasterXML/jackson-databind/issues/2996
https://bugzilla.redhat.com/show_bug.cgi?id=1913937
--- Comment #7 from Anten Skrabec askrabec@redhat.com --- Statement:
The following Red Hat products do ship the vulnerable component, but do not enable the unsafe conditions needed to exploit, lowering their vulnerability impact: * JBoss Data Grid 7 * Business Process Management Suite 6 * Business Rules Management Suite 6 * JBoss Data Virtualization 6 * Red Hat Fuse Service Works 6 * Red Hat OpenStack Platform * Red Hat OpenShift containers: ose-metering-hadoop, ose-metering-hive, ose-logging-elasticsearch5, ose-logging-elasticsearch6 These products may update the jackson-databind dependency in a future release.
In Red Hat Openshift 4 there are no plans to maintain the ose-logging-elasticsearch5 container, hence it has been marked wontfix at this time and may be fixed in a future update.
The following Red Hat products ship OpenDaylight, which contains the vulnerable jackson-databind, but do not expose jackson-databind in a way that would make it exploitable: * Red Hat OpenStack Platform 13 As such, Red Hat will not be providing a fix for OpenDaylight at this time.
The following Red Hat products are not affected by this flaw because they use a more recent version of jackson-databind that does not contain the vulnerable code: * CodeReady Studio 12.16.0 * Red Hat Enterprise Linux 8 * Red Hat Enterprise Virtualization * Red Hat Satellite 6 * Red Hat OpenShift container: ose-metering-presto
https://bugzilla.redhat.com/show_bug.cgi?id=1913937
--- Comment #9 from RaTasha Tillery-Smith rtillery@redhat.com --- Statement:
The following Red Hat products do ship the vulnerable component, but do not enable the unsafe conditions needed to exploit, lowering their vulnerability impact: * JBoss Data Grid 7 * Business Process Management Suite 6 * Business Rules Management Suite 6 * JBoss Data Virtualization 6 * Red Hat Fuse Service Works 6 * Red Hat OpenStack Platform * Red Hat OpenShift containers: ose-metering-hadoop, ose-metering-hive, ose-logging-elasticsearch5, ose-logging-elasticsearch6 These products may update the jackson-databind dependency in a future release.
In Red Hat Openshift 4 there are no plans to maintain the ose-logging-elasticsearch5 container, therefore it has been marked wontfix at this time and maybe fixed in a future update.
The following Red Hat products ship OpenDaylight, which contains the vulnerable jackson-databind, but do not expose jackson-databind in a way that would make it exploitable: * Red Hat OpenStack Platform 13 As such, Red Hat will not be providing a fix for OpenDaylight at this time.
The following Red Hat products are not affected by this flaw because they use a more recent version of jackson-databind that does not contain the vulnerable code: * CodeReady Studio 12.16.0 * Red Hat Enterprise Linux 8 * Red Hat Enterprise Virtualization * Red Hat Satellite 6 * Red Hat OpenShift container: ose-metering-presto
https://bugzilla.redhat.com/show_bug.cgi?id=1913937
msiddiqu@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1922499
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1922499 [Bug 1922499] CVE-2020-36179 CVE-2020-36180 CVE-2020-36181 CVE-2020-36182 CVE-2020-36183 CVE-2020-36184 CVE-2020-36185 CVE-2020-36186 CVE-2020-36187 CVE-2020-36188 CVE-2020-36189 jackson-databind: various flaws [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1913937
--- Comment #11 from msiddiqu@redhat.com --- Created jackson-databind tracking bugs for this issue:
Affects: fedora-all [bug 1922499]
https://bugzilla.redhat.com/show_bug.cgi?id=1913937 Bug 1913937 depends on bug 1922499, which changed state.
Bug 1922499 Summary: CVE-2020-36179 CVE-2020-36180 CVE-2020-36181 CVE-2020-36182 CVE-2020-36183 CVE-2020-36184 CVE-2020-36185 CVE-2020-36186 CVE-2020-36187 CVE-2020-36188 CVE-2020-36189 jackson-databind: various flaws [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1922499
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |CURRENTRELEASE
https://bugzilla.redhat.com/show_bug.cgi?id=1913937
--- Comment #12 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 4.6
Via RHSA-2021:1230 https://access.redhat.com/errata/RHSA-2021:1230
https://bugzilla.redhat.com/show_bug.cgi?id=1913937
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2021-04-27 10:50:18
--- Comment #13 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2020-36189
java-sig-commits@lists.fedoraproject.org
-
bugzilla@redhat.com