Описание
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.
A flaw was discovered in FasterXML jackson-databind in versions prior to 2.9.9. The vulnerability would permit polymorphic deserialization of malicious objects using the logback-core gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping() or when @JsonTypeInfo is using Id.CLASS or Id.MINIMAL_CLASS or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. Depending on the classpath content, remote code execution may be possible.
Отчет
Red Hat OpenStack's OpenDaylight does not use logback in any supported configuration. Therefore, the prerequisites for this vulnerability are not present and OpenDaylight is not affected. This vulnerability relies on logback-core (ch.qos.logback.core) being present in the application's ClassPath. Logback-core is not packaged as an RPM for Red Hat Enterprise Linux or Red Hat Software Collections. Applications using jackson-databind that do not also use logback-core are not impacted by this vulnerability. This issue affects the versions of jackson-databind bundled with candlepin as shipped with Red Hat Satellite 6.x. However the affected code is NOT used at this time.
Меры по смягчению последствий
The following conditions are needed for an exploit, we recommend avoiding all if possible:
- Deserialization from sources you do not control
enableDefaultTyping()@JsonTypeInfo usingid.CLASSorid.MINIMAL_CLASS`
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat BPM Suite 6 | jackson-databind | Out of support scope | ||
| Red Hat JBoss A-MQ 6 | jackson-databind | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 6 | jackson-databind | Not affected | ||
| Red Hat Mobile Application Platform 4 | jackson-databind | Not affected | ||
| Red Hat OpenShift Application Runtimes | jackson-databind | Affected | ||
| Red Hat OpenShift Container Platform 3.10 | elasticsearch-cloud-kubernetes | Affected | ||
| Red Hat OpenShift Container Platform 3.10 | openshift-elasticsearch-plugin | Affected | ||
| Red Hat OpenShift Container Platform 3.6 | elasticsearch-cloud-kubernetes | Out of support scope | ||
| Red Hat OpenShift Container Platform 3.6 | openshift-elasticsearch-plugin | Out of support scope | ||
| Red Hat OpenShift Container Platform 3.7 | elasticsearch-cloud-kubernetes | Out of support scope |
Показывать по
Дополнительная информация
Статус:
EPSS
8.1 High
CVSS3
Связанные уязвимости
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to ...
Deserialization of Untrusted Data in FasterXML jackson-databind
EPSS
8.1 High
CVSS3