Описание
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
Отчет
Satellite 6 does not enable polymorphic unmarshmalling, which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release. Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.
Меры по смягчению последствий
The following conditions are needed for an exploit, we recommend avoiding all if possible
- Deserialization from sources you do not control
enableDefaultTyping()@JsonTypeInfo usingid.CLASSorid.MINIMAL_CLASS`
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat BPM Suite 6 | jackson-databind | Out of support scope | ||
| Red Hat JBoss A-MQ 6 | jackson-databind | Out of support scope | ||
| Red Hat JBoss Data Virtualization 6 | jackson-databind | Out of support scope | ||
| Red Hat JBoss Fuse 6 | jackson-databind | Out of support scope | ||
| Red Hat Mobile Application Platform 4 | jackson-databind | Out of support scope | ||
| Red Hat OpenShift Application Runtimes | jackson-databind | Affected | ||
| Red Hat OpenShift Container Platform 3.10 | elasticsearch-cloud-kubernetes | Will not fix | ||
| Red Hat OpenShift Container Platform 3.10 | openshift-elasticsearch-plugin | Will not fix | ||
| Red Hat OpenShift Container Platform 3.11 | openshift3/ose-logging-elasticsearch5 | Will not fix | ||
| Red Hat OpenShift Container Platform 3.9 | elasticsearch-cloud-kubernetes | Will not fix |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
A Polymorphic Typing issue was discovered in FasterXML jackson-databin ...
Polymorphic Typing in FasterXML jackson-databind
Уязвимость реализации механизма полиморфной типизации данных библиотеки jackson-databind, позволяющая нарушителю выполнить вредоносную нагрузку
7.5 High
CVSS3