Описание
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.
Отчет
Satellite 6 does not enable polymorphic unmarshmalling, which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release. Red Hat OpenShift Container Platform does ship the vulnerable component, but does not enable the unsafe conditions needed to exploit, lowering their vulnerability impact.
Меры по смягчению последствий
The following conditions are needed for an exploit, we recommend avoiding all if possible
- Deserialization from sources you do not control
enableDefaultTyping()@JsonTypeInfo usingid.CLASSorid.MINIMAL_CLASS`
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat JBoss A-MQ 6 | jackson-databind | Out of support scope | ||
| Red Hat JBoss Fuse 6 | jackson-databind | Out of support scope | ||
| Red Hat Mobile Application Platform 4 | jackson-databind | Out of support scope | ||
| Red Hat OpenShift Application Runtimes | jackson-databind | Affected | ||
| Red Hat OpenShift Container Platform 3.11 | openshift3/ose-logging-elasticsearch5 | Will not fix | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-logging-elasticsearch5 | Will not fix | ||
| Red Hat Satellite 6 | candlepin | Not affected | ||
| EAP-CD 19 Tech Preview | jackson-databind | Fixed | RHSA-2020:2333 | 28.05.2020 |
| Red Hat AMQ Streams 1 | jackson-databind | Fixed | RHSA-2020:0939 | 23.03.2020 |
| Red Hat Decision Manager 7 | jackson-databind | Fixed | RHSA-2020:0899 | 18.03.2020 |
Показывать по
Дополнительная информация
Статус:
8.1 High
CVSS3
Связанные уязвимости
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.
A Polymorphic Typing issue was discovered in FasterXML jackson-databin ...
Уязвимость функции FasterXML Java-библиотеки для грамматического разбора JSON файлов jackson-databind, позволяющая нарушителю получить полный контроль над системой
8.1 High
CVSS3