https://bugzilla.redhat.com/show_bug.cgi?id=1752962
Bug ID: 1752962 Summary: CVE-2019-14439 jackson-databind: Polymorphic typing issue related to logback/JNDI Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: psampaio@redhat.com CC: ahardin@redhat.com, aileenc@redhat.com, akoufoud@redhat.com, alazarot@redhat.com, almorale@redhat.com, anstephe@redhat.com, asoldano@redhat.com, atangrin@redhat.com, ataylor@redhat.com, avibelli@redhat.com, bbaranow@redhat.com, bbuckingham@redhat.com, bcourt@redhat.com, bgeorges@redhat.com, bkearney@redhat.com, bleanhar@redhat.com, bmaxwell@redhat.com, brian.stansberry@redhat.com, btotty@redhat.com, cbyrne@redhat.com, ccoleman@redhat.com, cdewolf@redhat.com, chazlett@redhat.com, cmacedo@redhat.com, darran.lofthouse@redhat.com, dbecker@redhat.com, decathorpe@gmail.com, dedgar@redhat.com, dffrench@redhat.com, dosoudil@redhat.com, drieden@redhat.com, drusso@redhat.com, eparis@redhat.com, etirelli@redhat.com, ganandan@redhat.com, ggaughan@redhat.com, hhorak@redhat.com, hhudgeon@redhat.com, ibek@redhat.com, iweiss@redhat.com, janstey@redhat.com, java-sig-commits@lists.fedoraproject.org, jawilson@redhat.com, jbalunas@redhat.com, jgoulding@redhat.com, jjoyce@redhat.com, jmadigan@redhat.com, jochrist@redhat.com, jokerman@redhat.com, jolee@redhat.com, jorton@redhat.com, jpallich@redhat.com, jperkins@redhat.com, jschatte@redhat.com, jschluet@redhat.com, jshepherd@redhat.com, jstastny@redhat.com, kbasil@redhat.com, krathod@redhat.com, kverlaen@redhat.com, kwills@redhat.com, lef@fedoraproject.org, lgao@redhat.com, lhh@redhat.com, lpeer@redhat.com, lthon@redhat.com, lzap@redhat.com, mat.booth@redhat.com, mburns@redhat.com, mchappel@redhat.com, mkolesni@redhat.com, mmccune@redhat.com, mnovotny@redhat.com, msochure@redhat.com, msvehla@redhat.com, mszynkie@redhat.com, ngough@redhat.com, nstielau@redhat.com, nwallace@redhat.com, paradhya@redhat.com, pdrozd@redhat.com, pgallagh@redhat.com, pmackay@redhat.com, psotirop@redhat.com, puntogil@libero.it, pwright@redhat.com, rchan@redhat.com, rguimara@redhat.com, rhcs-maint@redhat.com, rjerrido@redhat.com, rrajasek@redhat.com, rruss@redhat.com, rsvoboda@redhat.com, rsynek@redhat.com, sclewis@redhat.com, scohen@redhat.com, sdaley@redhat.com, slinaber@redhat.com, smaestri@redhat.com, stewardship-sig@lists.fedoraproject.org, sthorger@redhat.com, swoodman@redhat.com, tbrisker@redhat.com, tom.jenkinson@redhat.com, trepel@redhat.com, trogers@redhat.com, twalsh@redhat.com, vhalbert@redhat.com Target Milestone: --- Classification: Other
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.
Upstream issue:
https://github.com/FasterXML/jackson-databind/issues/2389
Upstream patch:
https://github.com/FasterXML/jackson-databind/commit/ad418eeb974e357f2797aef...
References:
https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a...
https://bugzilla.redhat.com/show_bug.cgi?id=1752962
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1752963 Depends On| |1752964
--- Comment #1 from Pedro Sampaio psampaio@redhat.com --- Created jackson-databind tracking bugs for this issue:
Affects: fedora-all [bug 1752964]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1752964 [Bug 1752964] CVE-2019-14439 jackson-databind: Polymorphic typing issue related to logback/JNDI [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1752962
Alex Scheel ascheel@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |ascheel@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1752962 Bug 1752962 depends on bug 1752964, which changed state.
Bug 1752964 Summary: CVE-2019-14439 jackson-databind: Polymorphic typing issue related to logback/JNDI [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1752964
What |Removed |Added ---------------------------------------------------------------------------- Status|MODIFIED |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1752962
--- Comment #4 from Joshua Padman jpadman@redhat.com --- Statement:
OpenDaylight provided as part of Red Hat OpenStack does not utilize logback when used in a supported configuration. Therefore, the prerequisites for this vulnerability are not present and OpenDaylight is not affected.
https://bugzilla.redhat.com/show_bug.cgi?id=1752962
--- Comment #5 from Cedric Buissart 🐶 cbuissar@redhat.com --- Statement:
OpenDaylight provided as part of Red Hat OpenStack does not utilize logback when used in a supported configuration. Therefore, the prerequisites for this vulnerability are not present and OpenDaylight is not affected.
Satellite 6 does not enable polymorphic unmarshmalling, which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.
https://bugzilla.redhat.com/show_bug.cgi?id=1752962
Riccardo Schirone rschiron@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1760299
https://bugzilla.redhat.com/show_bug.cgi?id=1752962
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1762564, 1762569, 1762566, | |1762572, 1762568, 1762570, | |1762567, 1762571
https://bugzilla.redhat.com/show_bug.cgi?id=1752962
--- Comment #10 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss AMQ
Via RHSA-2019:3200 https://access.redhat.com/errata/RHSA-2019:3200
https://bugzilla.redhat.com/show_bug.cgi?id=1752962
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2019:3200
https://bugzilla.redhat.com/show_bug.cgi?id=1752962
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2019-10-24 12:51:14
--- Comment #11 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2019-14439
https://bugzilla.redhat.com/show_bug.cgi?id=1752962
Jonathan Christison jochrist@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |jackson-databind 2.9.10, | |jackson-databind 2.8.11.4, | |jackson-databind 2.7.9.6, | |jackson-databind 2.6.7.3
https://bugzilla.redhat.com/show_bug.cgi?id=1752962
--- Comment #12 from Paramvir jindal pjindal@redhat.com --- Marking RHSSO as not affected because RHSSO 7.3.4 ships : rhsso-7.3/modules/system/layers/base/.overlays/layer-base-rh-sso-7.3.4.CP/com/fasterxml/jackson/core/jackson-databind/main/jackson-databind-2.9.9.3-redhat-00001.jar
Affected version are FasterXML jackson-databind 2.x before 2.9.9.2
https://bugzilla.redhat.com/show_bug.cgi?id=1752962
--- Comment #16 from Kunjan Rathod krathod@redhat.com --- This vulnerability is out of security support scope for the following products: * Red Hat JBoss BPMS 6 * Red Hat JBoss Data Virtualization & Services 6
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
https://bugzilla.redhat.com/show_bug.cgi?id=1752962
Jeff Cantrill jcantril@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1781719
https://bugzilla.redhat.com/show_bug.cgi?id=1752962
--- Doc Text *updated* by Jonathan Christison jochrist@redhat.com --- A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the ehcache and logback JNDI gadgets when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
https://bugzilla.redhat.com/show_bug.cgi?id=1752962
--- Comment #19 from Jonathan Christison jochrist@redhat.com --- Mitigation:
The following conditions are needed for an exploit, we recommend avoiding all if possible * Deserialization from sources you do not control * `enableDefaultTyping()` * `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`
https://bugzilla.redhat.com/show_bug.cgi?id=1752962
--- Comment #20 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Fuse 7.6.0
Via RHSA-2020:0983 https://access.redhat.com/errata/RHSA-2020:0983
https://bugzilla.redhat.com/show_bug.cgi?id=1752962
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0983
java-sig-commits@lists.fedoraproject.org