[Bug 1758167] New: jackson-databind: Serialization gadgets in classes of the ehcache package
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
Bug ID: 1758167 Summary: jackson-databind: Serialization gadgets in classes of the ehcache package Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: psampaio@redhat.com CC: aileenc@redhat.com, akoufoud@redhat.com, alazarot@redhat.com, almorale@redhat.com, anstephe@redhat.com, asoldano@redhat.com, atangrin@redhat.com, ataylor@redhat.com, avibelli@redhat.com, bbaranow@redhat.com, bbuckingham@redhat.com, bcourt@redhat.com, bgeorges@redhat.com, bkearney@redhat.com, bmaxwell@redhat.com, bmontgom@redhat.com, brian.stansberry@redhat.com, btotty@redhat.com, cbyrne@redhat.com, cdewolf@redhat.com, chazlett@redhat.com, cmacedo@redhat.com, darran.lofthouse@redhat.com, dbecker@redhat.com, decathorpe@gmail.com, dffrench@redhat.com, dosoudil@redhat.com, drieden@redhat.com, drusso@redhat.com, eparis@redhat.com, etirelli@redhat.com, ganandan@redhat.com, ggaughan@redhat.com, hhorak@redhat.com, hhudgeon@redhat.com, ibek@redhat.com, iweiss@redhat.com, janstey@redhat.com, java-sig-commits@lists.fedoraproject.org, jawilson@redhat.com, jbalunas@redhat.com, jburrell@redhat.com, jjoyce@redhat.com, jmadigan@redhat.com, jochrist@redhat.com, jokerman@redhat.com, jolee@redhat.com, jorton@redhat.com, jpallich@redhat.com, jperkins@redhat.com, jschatte@redhat.com, jschluet@redhat.com, jshepherd@redhat.com, jstastny@redhat.com, kbasil@redhat.com, krathod@redhat.com, kverlaen@redhat.com, kwills@redhat.com, lef@fedoraproject.org, lgao@redhat.com, lhh@redhat.com, lpeer@redhat.com, lthon@redhat.com, lzap@redhat.com, mat.booth@redhat.com, mburns@redhat.com, mkolesni@redhat.com, mmccune@redhat.com, mnovotny@redhat.com, msochure@redhat.com, msvehla@redhat.com, mszynkie@redhat.com, ngough@redhat.com, nstielau@redhat.com, nwallace@redhat.com, paradhya@redhat.com, pdrozd@redhat.com, pgallagh@redhat.com, pmackay@redhat.com, psotirop@redhat.com, puntogil@libero.it, pwright@redhat.com, rchan@redhat.com, rguimara@redhat.com, rhcs-maint@redhat.com, rjerrido@redhat.com, rrajasek@redhat.com, rruss@redhat.com, rsvoboda@redhat.com, rsynek@redhat.com, sclewis@redhat.com, scohen@redhat.com, sdaley@redhat.com, slinaber@redhat.com, smaestri@redhat.com, sponnaga@redhat.com, stewardship-sig@lists.fedoraproject.org, sthorger@redhat.com, swoodman@redhat.com, tbrisker@redhat.com, tom.jenkinson@redhat.com, trepel@redhat.com, trogers@redhat.com, twalsh@redhat.com, vhalbert@redhat.com Target Milestone: --- Classification: Other
A flaw was found in jackson-databind before 2.9.10. New serialization gadgets were found regarding a class of the ehcache package which may help in deserialization issues exploit.
Upstream issue:
https://github.com/FasterXML/jackson-databind/issues/2460
Upstream patch:
https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2ddddb77e...
References:
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you...
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1758168
--- Comment #1 from Pedro Sampaio psampaio@redhat.com --- Created jackson-databind tracking bugs for this issue:
Affects: fedora-all [bug 1758168]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1758168 [Bug 1758168] jackson-databind: Serialization gadgets in classes of the ehcache package [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1758169
https://bugzilla.redhat.com/show_bug.cgi?id=1758167 Bug 1758167 depends on bug 1758168, which changed state.
Bug 1758168 Summary: jackson-databind: Serialization gadgets in classes of the ehcache package [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1758168
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
Chess Hazlett chazlett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |jackson-databind 2.9.10, | |jackson-databind 2.10.0
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
Chess Hazlett chazlett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|jackson-databind: |CVE-2019-17267 |Serialization gadgets in |jackson-databind: |classes of the ehcache |Serialization gadgets in |package |classes of the ehcache | |package Alias| |CVE-2019-17267
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
--- Comment #4 from Anten Skrabec askrabec@redhat.com --- Statement: Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1762564, 1762569, 1762572, | |1762571, 1762568, 1762570, | |1762567, 1762566
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
Riccardo Schirone rschiron@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1764111
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
Riccardo Schirone rschiron@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1764112
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
--- Comment #9 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss AMQ
Via RHSA-2019:3200 https://access.redhat.com/errata/RHSA-2019:3200
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2019:3200
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2019-10-24 12:51:34
--- Comment #10 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2019-17267
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
--- Comment #11 from Paramvir jindal pjindal@redhat.com --- Marking RHSSO as affected fix because the fix version seems to be jackson-databind 2.9.10 and RHSSO 7.3.4 (latest as of today) ships jackson-databind-2.9.9.3-redhat-00001.jar.
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
--- Comment #16 from Kunjan Rathod krathod@redhat.com --- This vulnerability is out of security support scope for the following products: * Red Hat JBoss BPMS 6 * Red Hat JBoss Data Virtualization & Services 6
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
Jeff Cantrill jcantril@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1781719
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
--- Comment #21 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform
Via RHSA-2020:0164 https://access.redhat.com/errata/RHSA-2020:0164
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0164
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
--- Comment #22 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6
Via RHSA-2020:0159 https://access.redhat.com/errata/RHSA-2020:0159
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0159
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
--- Comment #23 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8
Via RHSA-2020:0161 https://access.redhat.com/errata/RHSA-2020:0161
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0161
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
--- Comment #24 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7
Via RHSA-2020:0160 https://access.redhat.com/errata/RHSA-2020:0160
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0160
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
--- Comment #25 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Single Sign-On
Via RHSA-2020:0445 https://access.redhat.com/errata/RHSA-2020:0445
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0445
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
--- Doc Text *updated* by Jonathan Christison jochrist@redhat.com --- A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the ehcache gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
--- Comment #26 from Jonathan Christison jochrist@redhat.com --- Mitigation:
The following conditions are needed for an exploit, we recommend avoiding all if possible * Deserialization from sources you do not control * `enableDefaultTyping()` * `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
--- Comment #27 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Process Automation
Via RHSA-2020:0895 https://access.redhat.com/errata/RHSA-2020:0895
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0895
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
--- Comment #28 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Decision Manager
Via RHSA-2020:0899 https://access.redhat.com/errata/RHSA-2020:0899
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0899
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
--- Comment #31 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Openshift Application Runtimes
Via RHSA-2020:2067 https://access.redhat.com/errata/RHSA-2020:2067
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:2067
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
--- Comment #32 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Data Grid 7.3.6
Via RHSA-2020:2321 https://access.redhat.com/errata/RHSA-2020:2321
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:2321
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
--- Comment #33 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
EAP-CD 19 Tech Preview
Via RHSA-2020:2333 https://access.redhat.com/errata/RHSA-2020:2333
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:2333
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
--- Comment #34 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Fuse 7.7.0
Via RHSA-2020:3192 https://access.redhat.com/errata/RHSA-2020:3192
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:3192
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
--- Comment #36 from Jason Shepherd jshepherd@redhat.com --- Statement:
Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.
Red Hat OpenShift Container Platform does ship the vulnerable component, but does not enable the unsafe conditions needed to exploit, lowering their vulnerability impact.
java-sig-commits@lists.fedoraproject.org
-
bugzilla@redhat.com