{ "threat_severity" : "Important", "public_date" : "2020-01-02T00:00:00Z", "bugzilla" : { "description" : "jackson-databind: lacks certain net.sf.ehcache blocking", "id" : "1793154", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1793154" }, "cvss3" : { "cvss3_base_score" : "8.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-502", "details" : [ "FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.", "A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the ehcache gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code." ], "statement" : "While OpenShift Container Platform's elasticsearch plugins do ship the vulnerable component, it doesn't do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.", "affected_release" : [ { "product_name" : "EAP-CD 19 Tech Preview", "release_date" : "2020-05-28T00:00:00Z", "advisory" : "RHSA-2020:2333", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_cd:19", "package" : "jackson-databind", "impact" : "moderate" }, { "product_name" : "Red Hat AMQ Streams 1", "release_date" : "2020-03-23T00:00:00Z", "advisory" : "RHSA-2020:0939", "cpe" : "cpe:/a:redhat:amq_streams:1", "package" : "jackson-databind", "impact" : "moderate" }, { "product_name" : "Red Hat Decision Manager 7", "release_date" : "2020-07-29T00:00:00Z", "advisory" : "RHSA-2020:3196", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7.8", "package" : "jackson-databind", "impact" : "moderate" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2020-04-28T00:00:00Z", "advisory" : "RHSA-2020:1644", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "pki-core:10.6-8020020200326162741.c7c3114f", "impact" : "moderate" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2020-04-28T00:00:00Z", "advisory" : "RHSA-2020:1644", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "pki-deps:10.6-8020020191204213056.6a468ee4", "impact" : "moderate" }, { "product_name" : "Red Hat Fuse 7.7.0", "release_date" : "2020-07-28T00:00:00Z", "advisory" : "RHSA-2020:3192", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "jackson-databind", "impact" : "moderate" }, { "product_name" : "Red Hat Process Automation 7", "release_date" : "2020-07-29T00:00:00Z", "advisory" : "RHSA-2020:3197", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.8", "package" : "jackson-databind", "impact" : "moderate" }, { "product_name" : "Red Hat Satellite 6.6 for RHEL 7", "release_date" : "2020-04-16T00:00:00Z", "advisory" : "RHBA-2020:1494", "cpe" : "cpe:/a:redhat:satellite:6.6::el7", "package" : "candlepin-0:2.6.16-1.el7sat", "impact" : "low" }, { "product_name" : "Red Hat Satellite 6.6 for RHEL 7", "release_date" : "2020-04-16T00:00:00Z", "advisory" : "RHBA-2020:1494", "cpe" : "cpe:/a:redhat:satellite:6.6::el7", "package" : "foreman-0:1.22.0.39-2.el7sat", "impact" : "low" }, { "product_name" : "Red Hat Satellite 6.6 for RHEL 7", "release_date" : "2020-04-16T00:00:00Z", "advisory" : "RHBA-2020:1494", "cpe" : "cpe:/a:redhat:satellite:6.6::el7", "package" : "satellite-0:6.6.3-1.el7sat", "impact" : "low" }, { "product_name" : "Red Hat Satellite 6.6 for RHEL 7", "release_date" : "2020-04-16T00:00:00Z", "advisory" : "RHBA-2020:1494", "cpe" : "cpe:/a:redhat:satellite:6.6::el7", "package" : "tfm-rubygem-fog-ovirt-0:1.2.3-1.el7sat", "impact" : "low" }, { "product_name" : "Red Hat Satellite 6.6 for RHEL 7", "release_date" : "2020-04-16T00:00:00Z", "advisory" : "RHBA-2020:1494", "cpe" : "cpe:/a:redhat:satellite:6.6::el7", "package" : "tfm-rubygem-foreman_rh_cloud-0:0.9.4.1-2.el7sat", "impact" : "low" }, { "product_name" : "Red Hat Satellite 6.6 for RHEL 7", "release_date" : "2020-04-16T00:00:00Z", "advisory" : "RHBA-2020:1494", "cpe" : "cpe:/a:redhat:satellite:6.6::el7", "package" : "tfm-rubygem-katello-0:3.12.0.41-1.el7sat", "impact" : "low" }, { "product_name" : "Red Hat Satellite 6.6 for RHEL 7", "release_date" : "2020-04-16T00:00:00Z", "advisory" : "RHBA-2020:1494", "cpe" : "cpe:/a:redhat:satellite:6.6::el7", "package" : "tfm-rubygem-runcible-0:2.13.0-1.el7sat", "impact" : "low" }, { "product_name" : "Red Hat Satellite 6.6 for RHEL 7", "release_date" : "2020-04-16T00:00:00Z", "advisory" : "RHBA-2020:1494", "cpe" : "cpe:/a:redhat:satellite_capsule:6.6::el7", "package" : "candlepin-0:2.6.16-1.el7sat", "impact" : "low" }, { "product_name" : "Red Hat Satellite 6.6 for RHEL 7", "release_date" : "2020-04-16T00:00:00Z", "advisory" : "RHBA-2020:1494", "cpe" : "cpe:/a:redhat:satellite_capsule:6.6::el7", "package" : "foreman-0:1.22.0.39-2.el7sat", "impact" : "low" }, { "product_name" : "Red Hat Satellite 6.6 for RHEL 7", "release_date" : "2020-04-16T00:00:00Z", "advisory" : "RHBA-2020:1494", "cpe" : "cpe:/a:redhat:satellite_capsule:6.6::el7", "package" : "satellite-0:6.6.3-1.el7sat", "impact" : "low" }, { "product_name" : "Red Hat Satellite 6.6 for RHEL 7", "release_date" : "2020-04-16T00:00:00Z", "advisory" : "RHBA-2020:1494", "cpe" : "cpe:/a:redhat:satellite_capsule:6.6::el7", "package" : "tfm-rubygem-fog-ovirt-0:1.2.3-1.el7sat", "impact" : "low" }, { "product_name" : "Red Hat Satellite 6.6 for RHEL 7", "release_date" : "2020-04-16T00:00:00Z", "advisory" : "RHBA-2020:1494", "cpe" : "cpe:/a:redhat:satellite_capsule:6.6::el7", "package" : "tfm-rubygem-foreman_rh_cloud-0:0.9.4.1-2.el7sat", "impact" : "low" }, { "product_name" : "Red Hat Satellite 6.6 for RHEL 7", "release_date" : "2020-04-16T00:00:00Z", "advisory" : "RHBA-2020:1494", "cpe" : "cpe:/a:redhat:satellite_capsule:6.6::el7", "package" : "tfm-rubygem-katello-0:3.12.0.41-1.el7sat", "impact" : "low" }, { "product_name" : "Red Hat Satellite 6.6 for RHEL 7", "release_date" : "2020-04-16T00:00:00Z", "advisory" : "RHBA-2020:1494", "cpe" : "cpe:/a:redhat:satellite_capsule:6.6::el7", "package" : "tfm-rubygem-runcible-0:2.13.0-1.el7sat", "impact" : "low" }, { "product_name" : "Red Hat Satellite 6.7 for RHEL 7", "release_date" : "2020-07-30T00:00:00Z", "advisory" : "RHBA-2020:3255", "cpe" : "cpe:/a:redhat:satellite:6.7::el7", "package" : "candlepin-0:2.9.28-1.el7sat", "impact" : "low" }, { "product_name" : "Red Hat Satellite 6.7 for RHEL 7", "release_date" : "2020-07-30T00:00:00Z", "advisory" : "RHBA-2020:3255", "cpe" : "cpe:/a:redhat:satellite:6.7::el7", "package" : "foreman-0:1.24.1.24-1.el7sat", "impact" : "low" }, { "product_name" : "Red Hat Satellite 6.7 for RHEL 7", "release_date" : "2020-07-30T00:00:00Z", "advisory" : "RHBA-2020:3255", "cpe" : "cpe:/a:redhat:satellite:6.7::el7", "package" : "foreman-installer-1:1.24.1.21-1.el7sat", "impact" : "low" }, { "product_name" : "Red Hat Satellite 6.7 for RHEL 7", "release_date" : "2020-07-30T00:00:00Z", "advisory" : "RHBA-2020:3255", "cpe" : "cpe:/a:redhat:satellite:6.7::el7", "package" : "pulp-rpm-0:2.21.0.6-1.el7sat", "impact" : "low" }, { "product_name" : "Red Hat Satellite 6.7 for RHEL 7", "release_date" : "2020-07-30T00:00:00Z", "advisory" : "RHBA-2020:3255", "cpe" : "cpe:/a:redhat:satellite:6.7::el7", "package" : "satellite-0:6.7.2-1.el7sat", "impact" : "low" }, { "product_name" : "Red Hat Satellite 6.7 for RHEL 7", "release_date" : "2020-07-30T00:00:00Z", "advisory" : "RHBA-2020:3255", "cpe" : "cpe:/a:redhat:satellite:6.7::el7", "package" : "tfm-rubygem-fog-vsphere-0:3.2.1.1-1.el7sat", "impact" : "low" }, { "product_name" : "Red Hat Satellite 6.7 for RHEL 7", "release_date" : "2020-07-30T00:00:00Z", "advisory" : "RHBA-2020:3255", "cpe" : "cpe:/a:redhat:satellite:6.7::el7", "package" : "tfm-rubygem-foreman_remote_execution-0:2.0.10.1-1.el7sat", "impact" : "low" }, { "product_name" : "Red Hat Satellite 6.7 for RHEL 7", "release_date" : "2020-07-30T00:00:00Z", "advisory" : "RHBA-2020:3255", "cpe" : "cpe:/a:redhat:satellite:6.7::el7", "package" : "tfm-rubygem-foreman_rh_cloud-0:1.0.9-1.el7sat", "impact" : "low" }, { "product_name" : "Red Hat Satellite 6.7 for RHEL 7", "release_date" : "2020-07-30T00:00:00Z", "advisory" : "RHBA-2020:3255", "cpe" : "cpe:/a:redhat:satellite:6.7::el7", "package" : "tfm-rubygem-foreman-tasks-0:0.17.5.6-1.el7sat", "impact" : "low" }, { "product_name" : "Red Hat Satellite 6.7 for RHEL 7", "release_date" : "2020-07-30T00:00:00Z", "advisory" : "RHBA-2020:3255", "cpe" : "cpe:/a:redhat:satellite:6.7::el7", "package" : "tfm-rubygem-hammer_cli_foreman-0:0.19.6.5-1.el7sat", "impact" : "low" }, { "product_name" : "Red Hat Satellite 6.7 for RHEL 7", "release_date" : "2020-07-30T00:00:00Z", "advisory" : "RHBA-2020:3255", "cpe" : "cpe:/a:redhat:satellite:6.7::el7", "package" : "tfm-rubygem-katello-0:3.14.0.25-1.el7sat", "impact" : "low" }, { "product_name" : "Red Hat Satellite 6.7 for RHEL 7", "release_date" : "2020-07-30T00:00:00Z", "advisory" : "RHBA-2020:3255", "cpe" : "cpe:/a:redhat:satellite_capsule:6.7::el7", "package" : "candlepin-0:2.9.28-1.el7sat", "impact" : "low" }, { "product_name" : "Red Hat Satellite 6.7 for RHEL 7", "release_date" : "2020-07-30T00:00:00Z", "advisory" : "RHBA-2020:3255", "cpe" : "cpe:/a:redhat:satellite_capsule:6.7::el7", "package" : "foreman-0:1.24.1.24-1.el7sat", "impact" : "low" }, { "product_name" : "Red Hat Satellite 6.7 for RHEL 7", "release_date" : "2020-07-30T00:00:00Z", "advisory" : "RHBA-2020:3255", "cpe" : "cpe:/a:redhat:satellite_capsule:6.7::el7", "package" : "foreman-installer-1:1.24.1.21-1.el7sat", "impact" : "low" }, { "product_name" : "Red Hat Satellite 6.7 for RHEL 7", "release_date" : "2020-07-30T00:00:00Z", "advisory" : "RHBA-2020:3255", "cpe" : "cpe:/a:redhat:satellite_capsule:6.7::el7", "package" : "pulp-rpm-0:2.21.0.6-1.el7sat", "impact" : "low" }, { "product_name" : "Red Hat Satellite 6.7 for RHEL 7", "release_date" : "2020-07-30T00:00:00Z", "advisory" : "RHBA-2020:3255", "cpe" : "cpe:/a:redhat:satellite_capsule:6.7::el7", "package" : "satellite-0:6.7.2-1.el7sat", "impact" : "low" }, { "product_name" : "Red Hat Satellite 6.7 for RHEL 7", "release_date" : "2020-07-30T00:00:00Z", "advisory" : "RHBA-2020:3255", "cpe" : "cpe:/a:redhat:satellite_capsule:6.7::el7", "package" : "tfm-rubygem-fog-vsphere-0:3.2.1.1-1.el7sat", "impact" : "low" }, { "product_name" : "Red Hat Satellite 6.7 for RHEL 7", "release_date" : "2020-07-30T00:00:00Z", "advisory" : "RHBA-2020:3255", "cpe" : "cpe:/a:redhat:satellite_capsule:6.7::el7", "package" : "tfm-rubygem-foreman_remote_execution-0:2.0.10.1-1.el7sat", "impact" : "low" }, { "product_name" : "Red Hat Satellite 6.7 for RHEL 7", "release_date" : "2020-07-30T00:00:00Z", "advisory" : "RHBA-2020:3255", "cpe" : "cpe:/a:redhat:satellite_capsule:6.7::el7", "package" : "tfm-rubygem-foreman_rh_cloud-0:1.0.9-1.el7sat", "impact" : "low" }, { "product_name" : "Red Hat Satellite 6.7 for RHEL 7", "release_date" : "2020-07-30T00:00:00Z", "advisory" : "RHBA-2020:3255", "cpe" : "cpe:/a:redhat:satellite_capsule:6.7::el7", "package" : "tfm-rubygem-foreman-tasks-0:0.17.5.6-1.el7sat", "impact" : "low" }, { "product_name" : "Red Hat Satellite 6.7 for RHEL 7", "release_date" : "2020-07-30T00:00:00Z", "advisory" : "RHBA-2020:3255", "cpe" : "cpe:/a:redhat:satellite_capsule:6.7::el7", "package" : "tfm-rubygem-hammer_cli_foreman-0:0.19.6.5-1.el7sat", "impact" : "low" }, { "product_name" : "Red Hat Satellite 6.7 for RHEL 7", "release_date" : "2020-07-30T00:00:00Z", "advisory" : "RHBA-2020:3255", "cpe" : "cpe:/a:redhat:satellite_capsule:6.7::el7", "package" : "tfm-rubygem-katello-0:3.14.0.25-1.el7sat", "impact" : "low" }, { "product_name" : "Red Hat Single Sign-On 7.3", "release_date" : "2020-03-23T00:00:00Z", "advisory" : "RHSA-2020:0951", "cpe" : "cpe:/a:redhat:jboss_single_sign_on:7.3", "package" : "jackson-databind", "impact" : "moderate" }, { "product_name" : "Text-Only RHOAR", "release_date" : "2020-05-18T00:00:00Z", "advisory" : "RHSA-2020:2067", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" } ], "package_state" : [ { "product_name" : "Red Hat JBoss A-MQ 6", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_amq:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat Mobile Application Platform 4", "fix_state" : "Out of support scope", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:mobile_application_platform:4", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Application Runtimes", "fix_state" : "Affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Will not fix", "package_name" : "openshift3/ose-logging-elasticsearch5", "cpe" : "cpe:/a:redhat:openshift:3.11", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openshift4/ose-logging-elasticsearch5", "cpe" : "cpe:/a:redhat:openshift:4", "impact" : "moderate" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Will not fix", "package_name" : "rh-maven35-jackson-databind", "cpe" : "cpe:/a:redhat:rhel_software_collections:3", "impact" : "moderate" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-20330\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-20330" ], "name" : "CVE-2019-20330", "mitigation" : { "value" : "The following conditions are needed for an exploit, we recommend avoiding all if possible:\n* Deserialization from sources you do not control\n* `enableDefaultTyping()`\n* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`", "lang" : "en:us" }, "csaw" : false }