Jackson Databind deserialization in EAP 6.4

Environment

• Red Hat JBoss Enterprise Application Platform (EAP)
  • 6.4 CP20

Issue

• How to protect EAP 6.4 from jackson databind deserialization vulnerabilities?

• Getting error with custom JSON Jackson mappings:

    org.codehaus.jackson.map.JsonMappingException: Illegal type (<fully qualified class name>) to deserialize: prevented for security reasons
  

• jackson error after apply patch 6.4 CP21

Resolution

With EAP 6.4 CP20 onwards, it is now possible to configure a whitelist of classes with a configurable system property which is jackson.deserialization.whitelist.packages that takes a comma delimited value of packages to allow to be deserialized. Set the value of this system property to target a designated package(s) adding -Djackson.deserialization.whitelist.packages, such as:

Standalone mode:

./standalone.sh  -Djackson.deserialization.whitelist.packages=foo.bar.package,another.package

or

Domain mode:

./domain.sh  -Djackson.deserialization.whitelist.packages=foo.bar.package,another.package

Customers running into this issue using JBoss BPM Suite must allow the packages org.kie , org.drools and any other customer package they may be using with Kie Server remote APIs:

-Djackson.deserialization.whitelist.packages=org.kie,org.drools,other.custom.package

Check How to add/remove/update system properties in EAP 6.x/7.x to make a persistent system property using CLI.

With this approach the blacklist is no longer existent and hence it is advisable to enlist the classes using the above approach.

Notes:

• The system property jackson.deserialization.whitelist.packages takes a comma delimited value of the java package names that should be allowed to deserialize. It only takes package names, not files, jars, etc.

Related Solutions

• System property not taking effect even though it is listed on the JAVA_OPTS / process listing, etc in JBoss EAP 7 / 6

Root Cause

A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This system property solution resolves CVE-2017-15095 , CVE-2017-17485 , CVE-2018-7489 .

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.