https://bugzilla.redhat.com/show_bug.cgi?id=1872707
Bug ID: 1872707 Summary: CVE-2020-24616 jackson-databind: mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP) Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: mkaplan@redhat.com CC: aboyko@redhat.com, aileenc@redhat.com, akoufoud@redhat.com, alazarot@redhat.com, almorale@redhat.com, anstephe@redhat.com, aos-bugs@redhat.com, asoldano@redhat.com, atangrin@redhat.com, ataylor@redhat.com, avibelli@redhat.com, bbaranow@redhat.com, bgeorges@redhat.com, bmaxwell@redhat.com, bmontgom@redhat.com, brian.stansberry@redhat.com, cdewolf@redhat.com, chazlett@redhat.com, darran.lofthouse@redhat.com, dbecker@redhat.com, decathorpe@gmail.com, dkreling@redhat.com, dosoudil@redhat.com, drieden@redhat.com, eleandro@redhat.com, eparis@redhat.com, etirelli@redhat.com, ganandan@redhat.com, ggaughan@redhat.com, gmalinko@redhat.com, hhorak@redhat.com, ibek@redhat.com, iweiss@redhat.com, janstey@redhat.com, java-maint@redhat.com, java-sig-commits@lists.fedoraproject.org, jawilson@redhat.com, jbalunas@redhat.com, jburrell@redhat.com, jcantril@redhat.com, jjoyce@redhat.com, jochrist@redhat.com, jokerman@redhat.com, jolee@redhat.com, jorton@redhat.com, jpallich@redhat.com, jperkins@redhat.com, jschatte@redhat.com, jschluet@redhat.com, jstastny@redhat.com, jwon@redhat.com, kbasil@redhat.com, krathod@redhat.com, kverlaen@redhat.com, kwills@redhat.com, lef@fedoraproject.org, lgao@redhat.com, lhh@redhat.com, lpeer@redhat.com, lthon@redhat.com, mburns@redhat.com, mkolesni@redhat.com, mnovotny@redhat.com, msochure@redhat.com, msvehla@redhat.com, mszynkie@redhat.com, nstielau@redhat.com, nwallace@redhat.com, paradhya@redhat.com, pdrozd@redhat.com, pgallagh@redhat.com, pjindal@redhat.com, pmackay@redhat.com, psotirop@redhat.com, puntogil@libero.it, rguimara@redhat.com, rhcs-maint@redhat.com, rrajasek@redhat.com, rruss@redhat.com, rstancel@redhat.com, rsvoboda@redhat.com, rsynek@redhat.com, sclewis@redhat.com, scohen@redhat.com, sdaley@redhat.com, slinaber@redhat.com, smaestri@redhat.com, sponnaga@redhat.com, stewardship-sig@lists.fedoraproject.org, sthorger@redhat.com, swoodman@redhat.com, tom.jenkinson@redhat.com, vhalbert@redhat.com Target Milestone: --- Classification: Other
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).
https://bugzilla.redhat.com/show_bug.cgi?id=1872707
--- Comment #1 from Michael Kaplan mkaplan@redhat.com --- External References:
https://github.com/FasterXML/jackson-databind/issues/2814
https://bugzilla.redhat.com/show_bug.cgi?id=1872707
Michael Kaplan mkaplan@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|CVE-2020-24616 |CVE-2020-24616 |jackson-databind: |jackson-databind: |mishandles the interaction |mishandles the interaction |between serialization |between serialization |gadgets and typing, related |gadgets and typing, related |to |to |br.com.anteros.dbcp.Anteros |br.com.anteros.dbcp.Anteros |DBCPDataSource (aka |DBCPDataSource |Anteros-DBCP) |
https://bugzilla.redhat.com/show_bug.cgi?id=1872707
Michael Kaplan mkaplan@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1872712
https://bugzilla.redhat.com/show_bug.cgi?id=1872707
Chess Hazlett chazlett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|medium |high Severity|medium |high
https://bugzilla.redhat.com/show_bug.cgi?id=1872707
--- Comment #3 from Ted (Jong Seok) Won jwon@redhat.com --- This vulnerability is out of security support scope for the following products: * Red Hat Enterprise Application Platform 6 * Red Hat JBoss BPMS 6 * Red Hat JBoss BRMS 6 * Red Hat JBoss Data Virtualization 6 * Red Hat Data Grid 6 * Red Hat JBoss Fuse 6 * Red Hat JBoss AMQ 6
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
https://bugzilla.redhat.com/show_bug.cgi?id=1872707
Ted (Jong Seok) Won jwon@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jross@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1872707
Ted (Jong Seok) Won jwon@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |clement.escoffier@redhat.co | |m, dandread@redhat.com, | |gsmet@redhat.com, | |sbiarozk@redhat.com, | |sdouglas@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1872707
Ted (Jong Seok) Won jwon@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |bibryam@redhat.com, | |pantinor@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1872707
Ted (Jong Seok) Won jwon@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |eric.wittmann@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1872707
--- Comment #17 from Mark Cooper mcooper@redhat.com --- Statement:
"While OpenShift Container Platform's elasticsearch plugins do ship the vulnerable component, it doesn't do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.
https://bugzilla.redhat.com/show_bug.cgi?id=1872707
Mark Cooper mcooper@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1873157, 1873156
https://bugzilla.redhat.com/show_bug.cgi?id=1872707
--- Comment #19 from Mark Cooper mcooper@redhat.com --- Statement:
While OpenShift Container Platform's elasticsearch plugins do ship the vulnerable component, it doesn't do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.
https://bugzilla.redhat.com/show_bug.cgi?id=1872707
--- Comment #20 from Doran Moppert dmoppert@redhat.com --- Statement:
While OpenShift Container Platform's elasticsearch plugins do ship the vulnerable component, it doesn't do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.
The PKI module as shipped in Red Hat Enterprise Linux 8 and Red Hat Satellite 6 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used, lowering the impact of the vulnerability for the Product. We may update the jackson-databind dependency in a future release.
https://bugzilla.redhat.com/show_bug.cgi?id=1872707
Doran Moppert dmoppert@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1873939, 1873940
https://bugzilla.redhat.com/show_bug.cgi?id=1872707
--- Comment #22 from Joshua Padman jpadman@redhat.com --- Statement:
While OpenShift Container Platform's elasticsearch plugins do ship the vulnerable component, it doesn't do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.
The PKI module as shipped in Red Hat Enterprise Linux 8 and Red Hat Satellite 6 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used, lowering the impact of the vulnerability for the Product. We may update the jackson-databind dependency in a future release.
Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.
https://bugzilla.redhat.com/show_bug.cgi?id=1872707
--- Doc Text *updated* by Eric Christensen sparks@redhat.com --- A flaw was found in FasterXML jackson-databind 2.x in versions prior to 2.9.10.6. The interaction between serialization gadgets and typing are mishandled. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
https://bugzilla.redhat.com/show_bug.cgi?id=1872707
Ted (Jong Seok) Won jwon@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Comment|23 |updated
--- Comment #23 has been edited ---
Found out one more upstream commit from https://github.com/FasterXML/jackson-databind/commits/jackson-databind-2.9.1.... It additionally blocks com.nqadmin.rowset.JdbcRowSetImpl and org.arrah.framework.rdbms.UpdatableJdbcRowsetImpl.
Upstream commits: * https://github.com/FasterXML/jackson-databind/commit/3d97153944f7de9c19c1b36... * https://github.com/FasterXML/jackson-databind/commit/e701bd852ca9a22e0474310...
https://bugzilla.redhat.com/show_bug.cgi?id=1872707
--- Comment #25 from Ted (Jong Seok) Won jwon@redhat.com --- External References:
https://github.com/FasterXML/jackson-databind/issues/2827 https://github.com/FasterXML/jackson-databind/issues/2826 https://github.com/FasterXML/jackson-databind/issues/2814 https://github.com/FasterXML/jackson-databind/issues/2798
https://bugzilla.redhat.com/show_bug.cgi?id=1872707
--- Comment #26 from Ted (Jong Seok) Won jwon@redhat.com --- Mitigation:
The following conditions are needed for an exploit, we recommend avoiding all if possible: * Deserialization from sources you do not control * `enableDefaultTyping()` * `@JsonTypeInfo using `id.CLASS`
https://bugzilla.redhat.com/show_bug.cgi?id=1872707
--- Comment #27 from Ted (Jong Seok) Won jwon@redhat.com --- Mitigation:
The following conditions are needed for an exploit, we recommend avoiding all if possible: * Deserialization from sources you do not control * `enableDefaultTyping()` * `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`
https://bugzilla.redhat.com/show_bug.cgi?id=1872707
Stefan Cornelius scorneli@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1876809
https://bugzilla.redhat.com/show_bug.cgi?id=1872707
--- Comment #34 from Ted (Jong Seok) Won jwon@redhat.com --- Mitigation:
The following conditions are needed for an exploit, we recommend avoiding all if possible: * Deserialization from sources you do not control * `enableDefaultTyping()` * `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS` * avoid br.com.anteros.dbcp in the classpath
https://bugzilla.redhat.com/show_bug.cgi?id=1872707
--- Comment #35 from Ted (Jong Seok) Won jwon@redhat.com --- Statement:
The Red Hat JBoss Enterprise Application Platform 7 does ship the vulnerable component but has a mandatory whitelist which blocks all wicked serializing classes and does not enable the unsafe conditions needed to exploit.
While OpenShift Container Platform's elasticsearch plugins do ship the vulnerable component, it doesn't do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.
The PKI module as shipped in Red Hat Enterprise Linux 8 and Red Hat Satellite 6 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used, lowering the impact of the vulnerability for the Product. We may update the jackson-databind dependency in a future release.
Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.
https://bugzilla.redhat.com/show_bug.cgi?id=1872707
lnacshon@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1953312
https://bugzilla.redhat.com/show_bug.cgi?id=1872707
Ted Jongseok Won jwon@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |NOTABUG Status|NEW |CLOSED Last Closed| |2021-10-28 10:13:45
--- Comment #40 from Ted Jongseok Won jwon@redhat.com --- Closing old flaw bugs.
java-sig-commits@lists.fedoraproject.org