{ "threat_severity" : "Important", "public_date" : "2020-04-07T00:00:00Z", "bugzilla" : { "description" : "jackson-databind: Serialization gadgets in commons-jelly:commons-jelly", "id" : "1826798", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1826798" }, "cvss3" : { "cvss3_base_score" : "8.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-502", "details" : [ "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).", "A flaw was found in jackson-databind 2.x. The interaction between serialization gadgets and typing is mishandled. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability." ], "statement" : "Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.\nThe PKI module as shipped in Red Hat Enterprise Linux 8 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used, lowering the impact of the vulnerability for the Product. We may update the jackson-databind dependency in a future release.\nWhile OpenShift Container Platform's elasticsearch plugins do ship the vulnerable component, it doesn't do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.\nRed Hat Satellite 6 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.", "affected_release" : [ { "product_name" : "Red Hat Data Grid 7.3.7", "release_date" : "2020-09-17T00:00:00Z", "advisory" : "RHSA-2020:3779", "cpe" : "cpe:/a:redhat:jboss_data_grid:7.3" }, { "product_name" : "Red Hat Decision Manager 7", "release_date" : "2020-07-29T00:00:00Z", "advisory" : "RHSA-2020:3196", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7.8", "package" : "jackson-databind", "impact" : "moderate" }, { "product_name" : "Red Hat Fuse 7.7.0", "release_date" : "2020-07-28T00:00:00Z", "advisory" : "RHSA-2020:3192", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "jackson-databind", "impact" : "moderate" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Continuous Delivery", "release_date" : "2020-06-15T00:00:00Z", "advisory" : "RHSA-2020:2565", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_cd:18", "package" : "jackson-databind", "impact" : "moderate" }, { "product_name" : "Red Hat Process Automation 7", "release_date" : "2020-07-29T00:00:00Z", "advisory" : "RHSA-2020:3197", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.8", "package" : "jackson-databind", "impact" : "moderate" }, { "product_name" : "Red Hat Single Sign-On 7.4.0", "release_date" : "2020-12-17T00:00:00Z", "advisory" : "RHSA-2020:5625", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7", "package" : "jackson-databind", "impact" : "moderate" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2020-05-26T00:00:00Z", "advisory" : "RHSA-2020:2320", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-maven35-jackson-databind-0:2.7.6-2.10.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date" : "2020-05-26T00:00:00Z", "advisory" : "RHSA-2020:2320", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-maven35-jackson-databind-0:2.7.6-2.10.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date" : "2020-05-26T00:00:00Z", "advisory" : "RHSA-2020:2320", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-maven35-jackson-databind-0:2.7.6-2.10.el7" }, { "product_name" : "Text-Only RHOAR", "release_date" : "2020-05-18T00:00:00Z", "advisory" : "RHSA-2020:2067", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" } ], "package_state" : [ { "product_name" : "A-MQ Clients 2", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:a_mq_clients:2", "impact" : "moderate" }, { "product_name" : "Red Hat BPM Suite 6", "fix_state" : "Out of support scope", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Affected", "package_name" : "pki-deps:10.6/jackson-databind", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "impact" : "low" }, { "product_name" : "Red Hat JBoss A-MQ 6", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_amq:6", "impact" : "moderate" }, { "product_name" : "Red Hat JBoss BRMS 6", "fix_state" : "Out of support scope", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:6" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_data_grid:7", "impact" : "moderate" }, { "product_name" : "Red Hat JBoss Data Virtualization 6", "fix_state" : "Out of support scope", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_fuse:6", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Application Runtimes", "fix_state" : "Affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Will not fix", "package_name" : "openshift3/ose-logging-elasticsearch5", "cpe" : "cpe:/a:redhat:openshift:3.11", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openshift4/ose-logging-elasticsearch5", "cpe" : "cpe:/a:redhat:openshift:4", "impact" : "moderate" }, { "product_name" : "Red Hat OpenStack Platform 10 (Newton)", "fix_state" : "Out of support scope", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:10", "impact" : "low" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Will not fix", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:13", "impact" : "low" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Will not fix", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:satellite:6", "impact" : "low" }, { "product_name" : "streams for Apache Kafka", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:amq_streams:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-11620\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-11620" ], "name" : "CVE-2020-11620", "mitigation" : { "value" : "The following conditions are needed for an exploit, we recommend avoiding all if possible:\n* Deserialization from sources you do not control\n* `enableDefaultTyping()`\n* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`", "lang" : "en:us" }, "csaw" : false }