Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1752962 (CVE-2019-14439) - CVE-2019-14439 jackson-databind: Polymorphic typing issue related to logback/JNDI
Summary: CVE-2019-14439 jackson-databind: Polymorphic typing issue related to logback/...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-14439
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1752964 1760299 1762564 1762566 1762567 1762568 1762569 1762570 1762571 1762572 1781719
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-09-17 16:34 UTC by Pedro Sampaio
Modified: 2021-12-14 18:47 UTC (History)
112 users (show)

Fixed In Version: jackson-databind 2.9.10, jackson-databind 2.8.11.4, jackson-databind 2.7.9.6, jackson-databind 2.6.7.3
Clone Of:
Environment:
Last Closed: 2019-10-24 12:51:14 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:3200 0 None None None 2019-10-24 09:18:25 UTC
Red Hat Product Errata RHSA-2020:0983 0 None None None 2020-03-26 15:48:48 UTC

Description Pedro Sampaio 2019-09-17 16:34:01 UTC
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.

Upstream issue:

https://github.com/FasterXML/jackson-databind/issues/2389

Upstream patch:

https://github.com/FasterXML/jackson-databind/commit/ad418eeb974e357f2797aef64aa0e3ffaaa6125b

References:

https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef@%3Cdev.struts.apache.org%3E

Comment 1 Pedro Sampaio 2019-09-17 16:37:13 UTC
Created jackson-databind tracking bugs for this issue:

Affects: fedora-all [bug 1752964]

Comment 5 Cedric Buissart 2019-09-23 10:11:45 UTC
Statement:

OpenDaylight provided as part of Red Hat OpenStack does not utilize logback when used in a supported configuration. Therefore, the prerequisites for this vulnerability are not present and OpenDaylight is not affected.

Satellite 6 does not enable polymorphic unmarshmalling, which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.

Comment 10 errata-xmlrpc 2019-10-24 09:18:21 UTC
This issue has been addressed in the following products:

  Red Hat JBoss AMQ

Via RHSA-2019:3200 https://access.redhat.com/errata/RHSA-2019:3200

Comment 11 Product Security DevOps Team 2019-10-24 12:51:14 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14439

Comment 12 Paramvir jindal 2019-11-19 11:01:21 UTC
Marking RHSSO as not affected because RHSSO 7.3.4 ships :
rhsso-7.3/modules/system/layers/base/.overlays/layer-base-rh-sso-7.3.4.CP/com/fasterxml/jackson/core/jackson-databind/main/jackson-databind-2.9.9.3-redhat-00001.jar

Affected version are FasterXML jackson-databind 2.x before 2.9.9.2

Comment 16 Kunjan Rathod 2019-12-06 01:40:21 UTC
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss BPMS 6
 * Red Hat JBoss Data Virtualization & Services 6


Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 19 Jonathan Christison 2020-02-28 14:48:10 UTC
Mitigation:

The following conditions are needed for an exploit, we recommend avoiding all if possible
* Deserialization from sources you do not control
* `enableDefaultTyping()`
* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`

Comment 20 errata-xmlrpc 2020-03-26 15:48:42 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.6.0

Via RHSA-2020:0983 https://access.redhat.com/errata/RHSA-2020:0983


Note You need to log in before you can comment on or make changes to this bug.