{ "threat_severity" : "Important", "public_date" : "2020-09-18T00:00:00Z", "bugzilla" : { "description" : "jackson-databind: Serialization gadgets in com.pastdev.httpcomponents.configuration.JndiConfiguration", "id" : "1882310", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1882310" }, "cvss3" : { "cvss3_base_score" : "8.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-502", "details" : [ "FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.", "A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.6. The interaction between serialization gadgets and typing is mishandled. The highest threat from this vulnerability is to data confidentiality and system availability." ], "statement" : "The following Red Hat products do ship the vulnerable component, but do not enable the unsafe conditions needed to exploit:\n* JBoss Data Grid 7\n* Business Process Management Suite 6\n* Business Rules Management Suite 6\n* JBoss Data Virtualization 6\n* OpenShift Container Platform\nThese products may update the jackson-databind dependency in a future release.\nThe following Red Hat products ship OpenDaylight, which contains the vulnerable jackson-databind, but do not expose jackson-databind in a way that would make it exploitable\n* Red Hat OpenStack Platform 13\nAs such, Red Hat will not be providing a fix for OpenDaylight at this time.\nThe following Red Hat products are not affected by this flaw because they use a more recent version of jackson-databind that does not contain the vulnerable code:\n* CodeReady Studio 12.16.0\n* Red Hat Enterprise Linux 8\n* Red Hat Enterprise Virtualization\n* Red Hat Satellite 6", "affected_release" : [ { "product_name" : "OpenShift Logging 5.0", "release_date" : "2021-05-06T00:00:00Z", "advisory" : "RHSA-2021:1515", "cpe" : "cpe:/a:redhat:logging:5.0::el8", "package" : "openshift-logging/elasticsearch6-rhel8:v5.0.3-1" }, { "product_name" : "Red Hat OpenShift Container Platform 4.6", "release_date" : "2021-04-27T00:00:00Z", "advisory" : "RHSA-2021:1230", "cpe" : "cpe:/a:redhat:openshift:4.6::el8", "package" : "openshift4/ose-logging-elasticsearch6:v4.6.0-202104161407.p0", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Container Platform 4.7", "release_date" : "2021-02-24T00:00:00Z", "advisory" : "RHSA-2020:5635", "cpe" : "cpe:/a:redhat:openshift:4.7::el8", "package" : "openshift4/ose-metering-presto:v4.7.0-202102110027.p0", "impact" : "moderate" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2020-10-05T00:00:00Z", "advisory" : "RHSA-2020:4173", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-maven35-jackson-databind-0:2.7.6-2.11.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date" : "2020-10-05T00:00:00Z", "advisory" : "RHSA-2020:4173", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-maven35-jackson-databind-0:2.7.6-2.11.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date" : "2020-10-05T00:00:00Z", "advisory" : "RHSA-2020:4173", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-maven35-jackson-databind-0:2.7.6-2.11.el7" } ], "package_state" : [ { "product_name" : "A-MQ Clients 2", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:a_mq_clients:2" }, { "product_name" : "Red Hat BPM Suite 6", "fix_state" : "Out of support scope", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform", "impact" : "moderate" }, { "product_name" : "Red Hat build of Quarkus", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Decision Manager 7", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "pki-deps:10.6/jackson-databind", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat Integration Service Registry", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat JBoss A-MQ 6", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_amq:6" }, { "product_name" : "Red Hat JBoss BRMS 6", "fix_state" : "Out of support scope", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:6", "impact" : "moderate" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Out of support scope", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_data_grid:7", "impact" : "moderate" }, { "product_name" : "Red Hat JBoss Data Virtualization 6", "fix_state" : "Out of support scope", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6", "impact" : "moderate" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Continuous Delivery", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_cd" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat OpenShift Application Runtimes", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Will not fix", "package_name" : "openshift3/ose-logging-elasticsearch5", "cpe" : "cpe:/a:redhat:openshift:3.11", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Out of support scope", "package_name" : "openshift4/ose-metering-hadoop", "cpe" : "cpe:/a:redhat:openshift:4", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Out of support scope", "package_name" : "openshift4/ose-metering-hive", "cpe" : "cpe:/a:redhat:openshift:4", "impact" : "moderate" }, { "product_name" : "Red Hat OpenStack Platform 10 (Newton)", "fix_state" : "Out of support scope", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:10", "impact" : "low" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Will not fix", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:13", "impact" : "low" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Not affected", "package_name" : "candlepin", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" }, { "product_name" : "Red Hat Virtualization 4", "fix_state" : "Not affected", "package_name" : "ovirt-engine", "cpe" : "cpe:/o:redhat:rhev_hypervisor:4" }, { "product_name" : "streams for Apache Kafka", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:amq_streams:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-24750\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-24750" ], "name" : "CVE-2020-24750", "mitigation" : { "value" : "The following conditions are needed for an exploit, we recommend avoiding all if possible:\n* Deserialization from sources you do not control\n* `enableDefaultTyping()`\n* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`\n* avoid com.pastdev.httpcomponents in the classpath", "lang" : "en:us" }, "csaw" : false }