Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2020-36179

Опубликовано: 31 дек. 2020
Источник: redhat
CVSS3: 8.1
EPSS Средний

Описание

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.

A flaw was found in jackson-databind. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Отчет

The following Red Hat products do ship the vulnerable component, but do not enable the unsafe conditions needed to exploit, lowering their vulnerability impact:

  • JBoss Data Grid 7
  • Business Process Management Suite 6
  • Business Rules Management Suite 6
  • JBoss Data Virtualization 6
  • Red Hat Fuse Service Works 6
  • Red Hat OpenStack Platform
  • Red Hat OpenShift containers: ose-metering-hadoop, ose-metering-hive, ose-logging-elasticsearch5, ose-logging-elasticsearch6
    These products may update the jackson-databind dependency in a future release. In Red Hat Openshift 4 there are no plans to maintain the ose-logging-elasticsearch5 container, therefore it has been marked wontfix at this time and may be fixed in a future update. The following Red Hat products ship OpenDaylight, which contains the vulnerable jackson-databind, but do not expose jackson-databind in a way that would make it exploitable:
  • Red Hat OpenStack Platform 13 As such, Red Hat will not be providing a fix for OpenDaylight at this time. The following Red Hat products are not affected by this flaw because they use a more recent version of jackson-databind that does not contain the vulnerable code:
  • CodeReady Studio 12.16.0
  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Virtualization
  • Red Hat Satellite 6
  • Red Hat OpenShift container: ose-metering-presto

Меры по смягчению последствий

The following conditions are needed for an exploit, we recommend avoiding all if possible:

  • Deserialization from sources you do not control
  • enableDefaultTyping()
  • @JsonTypeInfo using id.CLASSorid.MINIMAL_CLASS`
  • avoid: oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS, org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS, org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS, org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS, org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool, org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource, org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource, org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource, org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource, com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource, com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource in the classpath

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
A-MQ Clients 2jackson-databindNot affected
Red Hat BPM Suite 6jackson-databindOut of support scope
Red Hat build of Quarkusjackson-databindNot affected
Red Hat CodeReady Studio 12jackson-databindNot affected
Red Hat Data Grid 8jackson-databindNot affected
Red Hat Decision Manager 7jackson-databindNot affected
Red Hat Enterprise Linux 8pki-deps:10.6/jackson-databindNot affected
Red Hat Enterprise Linux 9jackson-databindNot affected
Red Hat Fuse 7jackson-databindNot affected
Red Hat Integration Camel K 1jackson-databindNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-502
https://bugzilla.redhat.com/show_bug.cgi?id=1913871jackson-databind: mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS

EPSS

Процентиль: 98%
0.60256
Средний

8.1 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2020-36179

CVSS3: 8.1
ubuntu
около 5 лет назад

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.

nvd логотип

CVE-2020-36179

CVSS3: 8.1
nvd
около 5 лет назад

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.

debian логотип

CVE-2020-36179

CVSS3: 8.1
debian
около 5 лет назад

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...

github логотип

GHSA-9gph-22xh-8x98

CVSS3: 8.1
github
около 4 лет назад

Unsafe Deserialization in jackson-databind

fstec логотип

BDU:2021-02830

CVSS3: 8.1
fstec
около 5 лет назад

Уязвимость компонента oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS библиотеки Jackson-databind проекта FasterXML, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

EPSS

Процентиль: 98%
0.60256
Средний

8.1 High

CVSS3