Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2019-17267

Опубликовано: 17 сент. 2019
Источник: redhat
CVSS3: 7.5

Описание

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.

Отчет

Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time. Red Hat OpenShift Container Platform does ship the vulnerable component, but does not enable the unsafe conditions needed to exploit, lowering their vulnerability impact.

Меры по смягчению последствий

The following conditions are needed for an exploit, we recommend avoiding all if possible

  • Deserialization from sources you do not control
  • enableDefaultTyping()
  • @JsonTypeInfo using id.CLASSorid.MINIMAL_CLASS`

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat BPM Suite 6jackson-databindOut of support scope
Red Hat Enterprise Linux 8pki-deps:10.6/jackson-databindNot affected
Red Hat JBoss A-MQ 6jackson-databindOut of support scope
Red Hat JBoss Data Virtualization 6jackson-databindOut of support scope
Red Hat JBoss Fuse 6jackson-databindOut of support scope
Red Hat Mobile Application Platform 4jackson-databindOut of support scope
Red Hat OpenShift Application Runtimesjackson-databindAffected
Red Hat OpenShift Container Platform 3.10elasticsearch-cloud-kubernetesWill not fix
Red Hat OpenShift Container Platform 3.10openshift-elasticsearch-pluginWill not fix
Red Hat OpenShift Container Platform 3.11openshift3/ose-logging-elasticsearch5Will not fix

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-502->CWE-200
https://bugzilla.redhat.com/show_bug.cgi?id=1758167jackson-databind: Serialization gadgets in classes of the ehcache package

7.5 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2019-17267

CVSS3: 9.8
ubuntu
больше 6 лет назад

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.

nvd логотип

CVE-2019-17267

CVSS3: 9.8
nvd
больше 6 лет назад

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.

debian логотип

CVE-2019-17267

CVSS3: 9.8
debian
больше 6 лет назад

A Polymorphic Typing issue was discovered in FasterXML jackson-databin ...

github логотип

GHSA-f3j5-rmmp-3fc5

CVSS3: 9.8
github
больше 5 лет назад

Improper Input Validation in jackson-databind

fstec логотип

BDU:2020-00566

CVSS3: 9.8
fstec
больше 6 лет назад

Уязвимость реализации механизма полиморфной типизации данных библиотеки FasterXML Jackson-databind, позволяющая нарушителю получить полный контроль над приложением

7.5 High

CVSS3