CVE-2018-5968

Impact:
Moderate
Public Date:
2018-01-18
CWE:
CWE-502
Bugzilla:
1538332: CVE-2018-5968 jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and CVE-2017-17485)
A deserialization flaw was discovered in the jackson-databind that could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaws CVE-2017-7525 and CVE-2017-17485 by blacklisting more classes that could be used maliciously.

Find out more about CVE-2018-5968 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

JBoss EAP 7.x only uses the vulnerable Jackson Databind library for marshalling and unmarshalling of JSON objects passed to JAX-RS webservices. Some advice about how to remain safe when using JAX-RS webservices on JBoss EAP 7.x is available here:

https://access.redhat.com/solutions/3279231

This issue affects the versions of jackson-databind (in Satellite 6.0 and 6.1) and candlepin (which embeds a copy of jackson-databind in Satellite 6.2) as shipped with Red Hat Satellitw 6.x. However the affected code is NOT used at this time:

Candlepin currently uses the default type resolution configuration for the ObjectMappers it creates/uses. Nowhere in candlepin do we enable global polymorphic deserialization via enableDefaultTyping(...), therefore based on the documentation sited BZ 1462702 , candlepin should not be affected.

However as the vulnerable software ships with the product we have marked them as vulnerable to ensure the issue is tracked.

Red Hat Subscription Asset Manager version 1 is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having Important security impact and is not currently planned to be addressed in future updates.

CVSS v3 metrics

CVSS3 Base Score 8.1
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Impact High
Availability Impact High

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server RHSA-2018:0480 2018-03-12
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server (eap7-jboss-ec2-eap) RHSA-2018:0481 2018-03-12
Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts (rhvm-appliance) RHSA-2018:1525 2018-05-15
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server RHSA-2018:0479 2018-03-12
Red Hat JBoss EAP 7 RHSA-2018:0478 2018-03-12
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server (eap7-jboss-ec2-eap) RHSA-2018:0481 2018-03-12

Affected Packages State

Platform Package State
Red Hat Virtualization 4 jackson-databind Will not fix
Red Hat Subscription Asset Manager 1 jackson-databind Will not fix
Red Hat Software Collections for Red Hat Enterprise Linux rh-eclipse46-jackson-databind Will not fix
Red Hat Software Collections for Red Hat Enterprise Linux rh-maven35-jackson-databind Will not fix
Red Hat Single Sign-On 7 jackson-databind Will not fix
Red Hat Satellite 6 jackson-databind Will not fix
Red Hat JBoss Fuse 6 jackson-databind Not affected
Red Hat JBoss EAP 6 jackson-databind Will not fix
Red Hat JBoss Data Virtualization 6 jackson-databind Will not fix
Red Hat JBoss Data Grid 7 jackson-databind Not affected
Red Hat JBoss BPMS 6 jackson-databind Will not fix
Red Hat JBoss A-MQ 6 jackson-databind Not affected
Last Modified