{ "threat_severity" : "Important", "public_date" : "2018-11-18T00:00:00Z", "bugzilla" : { "description" : "jackson-databind: improper polymorphic deserialization in openjpa class", "id" : "1666484", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1666484" }, "cvss3" : { "cvss3_base_score" : "7.3", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "status" : "verified" }, "cwe" : "CWE-502", "details" : [ "FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.", "A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the OpenJPA class. An attacker could use this flaw to execute arbitrary code." ], "statement" : "Red Hat Satellite 6 is not affected by this issue, since its candlepin component doesn't bundle openjpa jar.\nRed Hat Virtualization 4 is not affected by this issue, since its candlepin component doesn't bundle openjpa jar.\nRed Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.", "affected_release" : [ { "product_name" : "OpenShift Logging 5.0", "release_date" : "2021-05-06T00:00:00Z", "advisory" : "RHSA-2021:1515", "cpe" : "cpe:/a:redhat:logging:5.0::el8", "package" : "openshift-logging/elasticsearch6-rhel8:v5.0.3-1" }, { "product_name" : "Red Hat Data Grid", "release_date" : "2019-12-02T00:00:00Z", "advisory" : "RHSA-2019:4037", "cpe" : "cpe:/a:redhat:jboss_data_grid:7.3", "package" : "jackson-databind" }, { "product_name" : "Red Hat Fuse 6.3", "release_date" : "2019-09-17T00:00:00Z", "advisory" : "RHSA-2019:2804", "cpe" : "cpe:/a:redhat:jboss_fuse:6.3", "package" : "jackson-databind" }, { "product_name" : "Red Hat Fuse 7.5.0", "release_date" : "2019-11-14T00:00:00Z", "advisory" : "RHSA-2019:3892", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "jackson-databind" }, { "product_name" : "Red Hat Fuse Intergration Services 2.0 based on Fuse 6.3 R13", "release_date" : "2019-10-10T00:00:00Z", "advisory" : "RHSA-2019:3002", "cpe" : "cpe:/a:redhat:jboss_fuse:6.3", "package" : "jackson-databind" }, { "product_name" : "Red Hat JBoss BPMS 6.4", "release_date" : "2019-07-16T00:00:00Z", "advisory" : "RHSA-2019:1797", "cpe" : "cpe:/a:redhat:jboss_bpms:6.4", "package" : "jackson-databind" }, { "product_name" : "Red Hat JBoss BPMS 7.4", "release_date" : "2019-07-22T00:00:00Z", "advisory" : "RHSA-2019:1823", "cpe" : "cpe:/a:redhat:jboss_bpms:7.4", "package" : "jackson-databind" }, { "product_name" : "Red Hat JBoss BRMS 6.4.12", "release_date" : "2019-07-15T00:00:00Z", "advisory" : "RHSA-2019:1782", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:6.4", "package" : "jackson-databind" }, { "product_name" : "Red Hat JBoss BRMS 7.4", "release_date" : "2019-07-22T00:00:00Z", "advisory" : "RHSA-2019:1822", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7.4", "package" : "jackson-databind" }, { "product_name" : "Red Hat JBoss Data Virtualization 6.4.8", "release_date" : "2019-10-17T00:00:00Z", "advisory" : "RHSA-2019:3140", "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6.4", "package" : "jackson-databind" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Continuous Delivery", "release_date" : "2020-06-15T00:00:00Z", "advisory" : "RHSA-2020:2564", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_cd:16", "package" : "jackson-databind" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2019-10-18T00:00:00Z", "advisory" : "RHSA-2019:3149", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "openshift3/ose-logging-elasticsearch5:v3.11.153-2" }, { "product_name" : "Red Hat OpenShift Container Platform 4.1", "release_date" : "2019-09-27T00:00:00Z", "advisory" : "RHSA-2019:2858", "cpe" : "cpe:/a:redhat:openshift:4.1::el7", "package" : "openshift4/ose-logging-elasticsearch5:v4.1.18-201909201915" }, { "product_name" : "Red Hat OpenShift Container Platform 4.6", "release_date" : "2021-04-27T00:00:00Z", "advisory" : "RHSA-2021:1230", "cpe" : "cpe:/a:redhat:openshift:4.6::el8", "package" : "openshift4/ose-logging-elasticsearch6:v4.6.0-202104161407.p0" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2019-04-17T00:00:00Z", "advisory" : "RHSA-2019:0782", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-maven35-jackson-databind-0:2.7.6-2.5.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS", "release_date" : "2019-04-17T00:00:00Z", "advisory" : "RHSA-2019:0782", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-maven35-jackson-databind-0:2.7.6-2.5.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date" : "2019-04-17T00:00:00Z", "advisory" : "RHSA-2019:0782", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-maven35-jackson-databind-0:2.7.6-2.5.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date" : "2019-04-17T00:00:00Z", "advisory" : "RHSA-2019:0782", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-maven35-jackson-databind-0:2.7.6-2.5.el7" }, { "product_name" : "Text-Only RHOAR", "release_date" : "2019-04-24T00:00:00Z", "advisory" : "RHSA-2019:0877", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat JBoss A-MQ 6", "fix_state" : "Affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_amq:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Fuse Integration Service 2", "fix_state" : "Affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:fuse_integration_services:2" }, { "product_name" : "Red Hat JBoss Operations Network 3", "fix_state" : "Not affected", "package_name" : "Core Server", "cpe" : "cpe:/a:redhat:jboss_operations_network:3" }, { "product_name" : "Red Hat Mobile Application Platform 4", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:mobile_application_platform:4" }, { "product_name" : "Red Hat OpenShift Application Runtimes", "fix_state" : "Affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" }, { "product_name" : "Red Hat OpenShift Container Platform 3.10", "fix_state" : "Affected", "package_name" : "elasticsearch-cloud-kubernetes", "cpe" : "cpe:/a:redhat:openshift:3.10" }, { "product_name" : "Red Hat OpenShift Container Platform 3.10", "fix_state" : "Affected", "package_name" : "openshift-elasticsearch-plugin", "cpe" : "cpe:/a:redhat:openshift:3.10" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.6", "fix_state" : "Affected", "package_name" : "openshift-elasticsearch-plugin", "cpe" : "cpe:/a:redhat:openshift:3.6" }, { "product_name" : "Red Hat OpenShift Container Platform 3.7", "fix_state" : "Affected", "package_name" : "openshift-elasticsearch-plugin", "cpe" : "cpe:/a:redhat:openshift:3.7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.9", "fix_state" : "Affected", "package_name" : "elasticsearch-cloud-kubernetes", "cpe" : "cpe:/a:redhat:openshift:3.9" }, { "product_name" : "Red Hat OpenShift Container Platform 3.9", "fix_state" : "Affected", "package_name" : "openshift-elasticsearch-plugin", "cpe" : "cpe:/a:redhat:openshift:3.9" }, { "product_name" : "Red Hat OpenStack Platform 10 (Newton)", "fix_state" : "Out of support scope", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:10" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Will not fix", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 14 (Rocky)", "fix_state" : "Out of support scope", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:14" }, { "product_name" : "Red Hat OpenStack Platform 8 (Liberty)", "fix_state" : "Out of support scope", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:8" }, { "product_name" : "Red Hat OpenStack Platform 9 (Mitaka)", "fix_state" : "Out of support scope", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:9" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Subscription Asset Manager", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:rhel_sam:1" }, { "product_name" : "Red Hat Virtualization 4", "fix_state" : "Not affected", "package_name" : "rhvm-appliance", "cpe" : "cpe:/o:redhat:rhev_hypervisor:4" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2018-19361\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-19361" ], "name" : "CVE-2018-19361", "csaw" : false }