{ "threat_severity" : "Important", "public_date" : "2020-12-23T00:00:00Z", "bugzilla" : { "description" : "jackson-databind: mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool", "id" : "1911502", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1911502" }, "cvss3" : { "cvss3_base_score" : "8.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-96", "details" : [ "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).", "A flaw was found in jackson-databind. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability." ], "statement" : "The following Red Hat Products ship jackson-databind version 2.10.0 or later which is not considered affected by this CVE (see https://medium.com/@cowtowncoder/jackson-2-10-safe-default-typing-2d018f0ce2ba) \n* JBoss Data Grid 7\n* JBoss Data Grid 8\n* Enterprise Application Platform 7\n* Red Hat Decision Manager 7\n* Red Hat Process Automation Manager 7\n* Red Hat Single Sign-On (RH-SSO) 7\n* Red Hat JBoss Fuse 7\n* Red Hat JBoss A-MQ\n* Red Hat Enterprise Linux 8\n* Red Hat Satellite 6.6\n* Red Hat Satellite 6.7\n* Red Hat Satellite 6.8\n* Red Hat CodeReady Studio 12\nRed Hat OpenShift Container Platform and Red Hat OpenStack Platform does ship the vulnerable components, but does not enable the unsafe conditions needed to exploit, lowering their vulnerability impact.\nIn Red Hat Openshift 4 there are no plans to maintain the ose-logging-elasticsearch5 container, hence it has been marked wontfix at this time and may be fixed in a future update.\nRed Hat OpenStack Platform 13 ships OpenDaylight, which contains the vulnerable jackson-databind, but does not expose jackson-databind in a way that would make it exploitable. As such, Red Hat will not be providing a fix for OpenDaylight at this time.", "affected_release" : [ { "product_name" : "OpenShift Logging 5.0", "release_date" : "2021-05-06T00:00:00Z", "advisory" : "RHSA-2021:1515", "cpe" : "cpe:/a:redhat:logging:5.0::el8", "package" : "openshift-logging/elasticsearch6-rhel8:v5.0.3-1" }, { "product_name" : "Red Hat OpenShift Container Platform 4.6", "release_date" : "2021-04-27T00:00:00Z", "advisory" : "RHSA-2021:1230", "cpe" : "cpe:/a:redhat:openshift:4.6::el8", "package" : "openshift4/ose-logging-elasticsearch6:v4.6.0-202104161407.p0", "impact" : "moderate" } ], "package_state" : [ { "product_name" : "A-MQ Clients 2", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:a_mq_clients:2" }, { "product_name" : "Red Hat BPM Suite 6", "fix_state" : "Out of support scope", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform" }, { "product_name" : "Red Hat build of Quarkus", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Decision Manager 7", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "pki-deps:10.6/jackson-databind", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat Integration Service Registry", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat JBoss A-MQ 6", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_amq:6" }, { "product_name" : "Red Hat JBoss BRMS 6", "fix_state" : "Out of support scope", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:6" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Data Virtualization 6", "fix_state" : "Out of support scope", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6", "fix_state" : "Out of support scope", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6" }, { "product_name" : "Red Hat OpenShift Application Runtimes", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Affected", "package_name" : "openshift3/ose-logging-elasticsearch5", "cpe" : "cpe:/a:redhat:openshift:3.11", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openshift4/ose-logging-elasticsearch5", "cpe" : "cpe:/a:redhat:openshift:4", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift4/ose-metering-hadoop", "cpe" : "cpe:/a:redhat:openshift:4", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift4/ose-metering-hive", "cpe" : "cpe:/a:redhat:openshift:4", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-metering-presto", "cpe" : "cpe:/a:redhat:openshift:4", "impact" : "moderate" }, { "product_name" : "Red Hat OpenStack Platform 10 (Newton)", "fix_state" : "Out of support scope", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:10" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Will not fix", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:13", "impact" : "moderate" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Not affected", "package_name" : "candlepin", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" }, { "product_name" : "streams for Apache Kafka", "fix_state" : "Not affected", "package_name" : "jackson-databind", "cpe" : "cpe:/a:redhat:amq_streams:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-35728\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-35728\nhttps://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062\nhttps://github.com/FasterXML/jackson-databind/issues/2999" ], "name" : "CVE-2020-35728", "mitigation" : { "value" : "The following conditions are needed for an exploit, we recommend avoiding all if possible:\n* Deserialization from sources you do not control\n* `enableDefaultTyping()`\n* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`\n* avoid com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool in the classpath", "lang" : "en:us" }, "csaw" : false }