Описание
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
Отчет
Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time. Satellite 6 does not enable polymorphic unmarshmalling, which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release. While OpenShift Container Platform's elasticsearch plugins do ship the vulnerable component, it doesn't do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.
Меры по смягчению последствий
This vulnerability relies on com.zaxxer.hikari.HikariDataSource being present in the application's ClassPath. Hikari is not packaged as an RPM for Red Hat Enterprise Linux or Red Hat Software Collections. Applications using jackson-databind that do not also use com.zaxxer.hikari are not impacted by this vulnerability. A mitigation to this class of problem in jackson-databind is to not trigger polymorphic desrialization globally by using: objectMapper.enableDefaultTyping() and rather use @JsonTypeInfo on the class property to explicitly define the type information. For more information on this issue please refer to https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat BPM Suite 6 | jackson-databind | Out of support scope | ||
| Red Hat JBoss A-MQ 6 | jackson-databind | Out of support scope | ||
| Red Hat JBoss Data Virtualization 6 | jackson-databind | Out of support scope | ||
| Red Hat JBoss Fuse 6 | jackson-databind | Out of support scope | ||
| Red Hat Mobile Application Platform 4 | jackson-databind | Out of support scope | ||
| Red Hat OpenShift Application Runtimes | jackson-databind | Not affected | ||
| Red Hat OpenShift Container Platform 3.10 | elasticsearch-cloud-kubernetes | Will not fix | ||
| Red Hat OpenShift Container Platform 3.10 | openshift-elasticsearch-plugin | Will not fix | ||
| Red Hat OpenShift Container Platform 3.11 | openshift3/ose-logging-elasticsearch5 | Will not fix | ||
| Red Hat OpenShift Container Platform 3.9 | elasticsearch-cloud-kubernetes | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
A Polymorphic Typing issue was discovered in FasterXML jackson-databin ...
Polymorphic Typing issue in FasterXML jackson-databind
Уязвимость функции FasterXML (com.zaxxer.hikari.HikariDataSource) Java-библиотеки для грамматического разбора JSON файлов jackson-databind, позволяющая нарушителю получить полный контроль над системой
EPSS
7.5 High
CVSS3