CVE-2018-7489

Impact:
Moderate
Public Date:
2018-02-26
CWE:
CWE-20
Bugzilla:
1549276: CVE-2018-7489 jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries

The MITRE CVE dictionary describes this issue as:

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

Find out more about CVE-2018-7489 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

Subscription Asset Manager is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates.

Satellite 6.2 does not support c3p0 classes. Since the latter are required for this flaw, therefore Satellite 6.2 is not affected. Satellite 6.3 and 6.4 are not affected because Candlepin does not use polymorphic deserialization.

CVSS v3 metrics

CVSS3 Base Score 8.1
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Impact High
Availability Impact High

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server RHSA-2018:1449 2018-05-14
Red Hat JBoss EAP 7.1 RHSA-2018:2088 2018-06-27
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (jboss-ec2-eap) RHSA-2018:1451 2018-05-14
Red Hat OpenShift Application Runtimes 1.0 RHSA-2018:1786 2018-06-04
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server (eap7-jackson-databind) RHSA-2018:2090 2018-06-27
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server RHSA-2018:1450 2018-05-14
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server (eap7-jackson-databind) RHSA-2018:2089 2018-06-27
Red Hat OpenShift Application Runtimes 1.0 RHSA-2018:2938 2018-10-17
Red Hat JBoss Enterprise Application Platform 6.4 RHSA-2018:1447 2018-05-14
Red Hat JBoss Fuse 6.3 RHSA-2018:2939 2018-10-17
Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server RHSA-2018:1448 2018-05-14

Affected Packages State

Platform Package State
Red Hat Virtualization 4 eap7-jackson-databind Affected
Red Hat Subscription Asset Manager 1 jackson-databind Will not fix
Red Hat Software Collections for Red Hat Enterprise Linux rh-eclipse46-jackson-databind Will not fix
Red Hat Software Collections for Red Hat Enterprise Linux rh-maven35-jackson-databind Affected
Red Hat Satellite 6 jackson-databind Not affected
Red Hat OpenShift Enterprise 2 jackson-databind Under investigation
Red Hat Mobile Application Platform On-Premise 4 jackson-databind Not affected
Red Hat JBoss Operations Network 3 Core Server Under investigation
Red Hat JBoss Fuse 7 Camel Affected
Red Hat JBoss Data Virtualization 6 jackson-databind Will not fix
Red Hat JBoss Data Grid 7 jackson-databind Not affected
Red Hat JBoss BRMS 6 jackson-databind Affected
Red Hat JBoss BPMS 6 jackson-databind Affected
Red Hat JBoss A-MQ 6 jackson-databind Will not fix

Mitigation

Advice on how to remain safe while using JAX-RS webservices on JBoss EAP 7.x is available here:

https://access.redhat.com/solutions/3279231
https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization

External References

Last Modified

CVE description copyright © 2017, The MITRE Corporation