Описание
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.
A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.4. The interaction between serialization gadgets and typing is mishandled. The highest threat from this vulnerability is to data confidentiality.
Отчет
While OpenShift Container Platform's elasticsearch plugins do ship the vulnerable component, it doesn't do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release. Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time. Red Hat Satellite 6 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release. The PKI module as shipped in Red Hat Enterprise Linux 8 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used, lowering the impact of the vulnerability for the Product. We may update the jackson-databind dependency in a future release.
Меры по смягчению последствий
The following conditions are needed for an exploit, we recommend avoiding all if possible
- Deserialization from sources you do not control
enableDefaultTyping()@JsonTypeInfo usingid.CLASSorid.MINIMAL_CLASS`
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 8 | pki-deps:10.6/jackson-databind | Affected | ||
| Red Hat JBoss A-MQ 6 | jackson-databind | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 7 | jackson-databind | Not affected | ||
| Red Hat JBoss Fuse 6 | jackson-databind | Not affected | ||
| Red Hat OpenShift Application Runtimes | jackson-databind | Not affected | ||
| EAP-CD 19 Tech Preview | jackson-databind | Fixed | RHSA-2020:2333 | 28.05.2020 |
| Red Hat Data Grid 7.3.7 | Fixed | RHSA-2020:3779 | 17.09.2020 | |
| Red Hat Decision Manager 7 | jackson-databind | Fixed | RHSA-2020:3196 | 29.07.2020 |
| Red Hat Fuse 7.7.0 | jackson-databind | Fixed | RHSA-2020:3192 | 28.07.2020 |
| Red Hat Process Automation 7 | jackson-databind | Fixed | RHSA-2020:3197 | 29.07.2020 |
Показывать по
Дополнительная информация
Статус:
EPSS
8.1 High
CVSS3
Связанные уязвимости
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...
jackson-databind mishandles the interaction between serialization gadgets and typing
Уязвимость библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
EPSS
8.1 High
CVSS3