Описание
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.
A flaw was found in jackson-databind. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Отчет
The following Red Hat products do ship the vulnerable component, but do not enable the unsafe conditions needed to exploit, lowering their vulnerability impact:
- JBoss Data Grid 7
- Business Process Management Suite 6
- Business Rules Management Suite 6
- JBoss Data Virtualization 6
- Red Hat Fuse Service Works 6
- Red Hat OpenStack Platform
- Red Hat OpenShift containers: ose-metering-hadoop, ose-metering-hive, ose-logging-elasticsearch5, ose-logging-elasticsearch6
These products may update the jackson-databind dependency in a future release. In Red Hat Openshift 4 there are no plans to maintain the ose-logging-elasticsearch5 container, hence it has been marked wontfix at this time and may be fixed in a future update. The following Red Hat products ship OpenDaylight, which contains the vulnerable jackson-databind, but do not expose jackson-databind in a way that would make it exploitable - Red Hat OpenStack Platform 13 As such, Red Hat will not be providing a fix for OpenDaylight at this time. The following Red Hat products are not affected by this flaw because they use a more recent version of jackson-databind that does not contain the vulnerable code:
- CodeReady Studio 12.16.0
- Red Hat Enterprise Linux 8
- Red Hat Enterprise Virtualization
- Red Hat Satellite 6
- Red Hat OpenShift container: ose-metering-presto
Меры по смягчению последствий
The following conditions are needed for an exploit, we recommend avoiding all if possible:
- Deserialization from sources you do not control
enableDefaultTyping()@JsonTypeInfo usingid.CLASSorid.MINIMAL_CLASS`- avoid org.apache.commons.dbcp2.datasources.PerUserPoolDataSource and org.apache.commons.dbcp2.datasources.SharedPoolDataSource in the classpath
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| A-MQ Clients 2 | jackson-databind | Not affected | ||
| Red Hat BPM Suite 6 | jackson-databind | Out of support scope | ||
| Red Hat build of Quarkus | jackson-databind | Not affected | ||
| Red Hat CodeReady Studio 12 | jackson-databind | Not affected | ||
| Red Hat Data Grid 8 | jackson-databind | Not affected | ||
| Red Hat Decision Manager 7 | jackson-databind | Not affected | ||
| Red Hat Enterprise Linux 8 | pki-deps:10.6/jackson-databind | Not affected | ||
| Red Hat Fuse 7 | jackson-databind | Not affected | ||
| Red Hat Integration Camel K 1 | jackson-databind | Not affected | ||
| Red Hat Integration Service Registry | jackson-databind | Not affected |
Показывать по
Дополнительная информация
Статус:
8.1 High
CVSS3
Связанные уязвимости
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...
Serialization gadgets exploit in jackson-databind
Уязвимость компонента org.apache.commons.dbcp2.datasources.PerUserPoolDataSource библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю выполнить произвольный код
8.1 High
CVSS3