CVE-2019-12384

Impact:
Important
Public Date:
2019-06-21
CWE:
CWE-502
Bugzilla:
1725807: CVE-2019-12384 jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution

The MITRE CVE dictionary describes this issue as:

FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.

Find out more about CVE-2019-12384 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

Red Hat OpenStack's OpenDaylight does not use logback in any supported configuration. Therefore, the prerequisites for this vulnerability are not present and OpenDaylight is not affected.

CVSS v3 metrics

CVSS3 Base Score 8.1
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Impact High
Availability Impact High

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux 8 (pki-deps:10.6) RHSA-2019:2720 2019-09-12
Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-maven35-jackson-databind) RHSA-2019:1820 2019-07-22

Affected Packages State

Platform Package State
Red Hat Single Sign-On 7 jackson-databind Not affected
Red Hat Satellite 6 jackson-databind Will not fix
Red Hat OpenStack Platform 9.0 opendaylight Not affected
Red Hat OpenStack Platform 14.0 (Rocky) opendaylight Not affected
Red Hat OpenStack Platform 13.0 (Queens) opendaylight Not affected
Red Hat OpenStack Platform 10 opendaylight Not affected
Red Hat OpenShift Container Platform 4.1 logging-elasticsearch5-container Affected
Red Hat OpenShift Container Platform 3.9 openshift-elasticsearch-plugin Affected
Red Hat OpenShift Container Platform 3.9 elasticsearch-cloud-kubernetes Affected
Red Hat OpenShift Container Platform 3.7 elasticsearch-cloud-kubernetes Out of support scope
Red Hat OpenShift Container Platform 3.7 openshift-elasticsearch-plugin Out of support scope
Red Hat OpenShift Container Platform 3.6 elasticsearch-cloud-kubernetes Out of support scope
Red Hat OpenShift Container Platform 3.6 openshift-elasticsearch-plugin Out of support scope
Red Hat OpenShift Container Platform 3.11 logging-elasticsearch5-container Affected
Red Hat OpenShift Container Platform 3.10 elasticsearch-cloud-kubernetes Affected
Red Hat OpenShift Container Platform 3.10 openshift-elasticsearch-plugin Affected
Red Hat OpenShift Application Runtimes 1.0 vertx Under investigation
Red Hat OpenShift Application Runtimes 1.0 swarm Under investigation
Red Hat Mobile Application Platform On-Premise 4 jackson-databind Not affected
Red Hat JBoss Fuse 7 jackson-databind Affected
Red Hat JBoss Fuse 6 jackson-databind Affected
Red Hat JBoss EAP 7 jackson-databind Affected
Red Hat JBoss BPMS 6 jackson-databind Affected
Red Hat JBoss A-MQ 6 jackson-databind Under investigation
Unless explicitly stated as not affected, all previous versions of packages in any minor update stream of a product listed here should be assumed vulnerable, although may not have been subject to full analysis.

Mitigation

This vulnerability relies on logback-core (ch.qos.logback.core) being present in the application's ClassPath. logback-core is not packaged as an RPM for Red Hat Enterprise Linux or Red Hat Software Collections. Applications using jackson-databind that do not also use logback-core are not impacted by this vulnerability.

This issue affects the versions of jackson-databind bundled with candlepin as shipped with Red Hat Satellite 6.x. However the affected code is NOT used at this time:
 * Candlepin currently uses the default type resolution configuration for the ObjectMappers it creates/uses. Nowhere in candlepin do we enable global polymorphic deserialization via enableDefaultTyping(...), therefore candlepin should not be affected.

Last Modified

CVE description copyright © 2017, The MITRE Corporation