A deserialization flaw was discovered in the jackson-databind that could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaws CVE-2017-7525 and CVE-2017-17485 by blacklisting more classes that could be used maliciously.
Find out more about CVE-2018-5968 from the MITRE CVE dictionary dictionary and NIST NVD.
JBoss EAP 7.x only uses the vulnerable Jackson Databind library for marshalling and unmarshalling of JSON objects passed to JAX-RS webservices. Some advice about how to remain safe when using JAX-RS webservices on JBoss EAP 7.x is available here:
https://access.redhat.com/solutions/3279231
This issue affects the versions of jackson-databind (in Satellite 6.0 and 6.1) and candlepin (which embeds a copy of jackson-databind in Satellite 6.2) as shipped with Red Hat Satellitw 6.x. However the affected code is NOT used at this time:
Candlepin currently uses the default type resolution configuration for the ObjectMappers it creates/uses. Nowhere in candlepin do we enable global polymorphic deserialization via enableDefaultTyping(...), therefore based on the documentation sited BZ 1462702 , candlepin should not be affected.
However as the vulnerable software ships with the product we have marked them as vulnerable to ensure the issue is tracked.
Red Hat Subscription Asset Manager version 1 is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having Important security impact and is not currently planned to be addressed in future updates.
| CVSS3 Base Score | 8.1 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Attack Vector | Network |
| Attack Complexity | High |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity Impact | High |
| Availability Impact | High |
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server | RHSA-2018:0480 | 2018-03-12 |
| Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server (eap7-jboss-ec2-eap) | RHSA-2018:0481 | 2018-03-12 |
| Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts (rhvm-appliance) | RHSA-2018:1525 | 2018-05-15 |
| Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server | RHSA-2018:0479 | 2018-03-12 |
| Red Hat JBoss EAP 7 | RHSA-2018:0478 | 2018-03-12 |
| Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server (eap7-jboss-ec2-eap) | RHSA-2018:0481 | 2018-03-12 |
| Platform | Package | State |
|---|---|---|
| Red Hat Virtualization 4 | jackson-databind | Will not fix |
| Red Hat Subscription Asset Manager 1 | jackson-databind | Will not fix |
| Red Hat Software Collections for Red Hat Enterprise Linux | rh-eclipse46-jackson-databind | Will not fix |
| Red Hat Software Collections for Red Hat Enterprise Linux | rh-maven35-jackson-databind | Will not fix |
| Red Hat Single Sign-On 7 | jackson-databind | Will not fix |
| Red Hat Satellite 6 | jackson-databind | Will not fix |
| Red Hat JBoss Fuse 6 | jackson-databind | Not affected |
| Red Hat JBoss EAP 6 | jackson-databind | Will not fix |
| Red Hat JBoss Data Virtualization 6 | jackson-databind | Will not fix |
| Red Hat JBoss Data Grid 7 | jackson-databind | Not affected |
| Red Hat JBoss BPMS 6 | jackson-databind | Will not fix |
| Red Hat JBoss A-MQ 6 | jackson-databind | Not affected |
Vulmon