FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2018-7489 from the MITRE CVE dictionary dictionary and NIST NVD.
Subscription Asset Manager is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates.
Satellite 6.2 does not support c3p0 classes. Since the latter are required for this flaw, therefore Satellite 6.2 is not affected. Satellite 6.3 and 6.4 are not affected because Candlepin does not use polymorphic deserialization.
| CVSS3 Base Score | 8.1 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Attack Vector | Network |
| Attack Complexity | High |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity Impact | High |
| Availability Impact | High |
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server | RHSA-2018:1449 | 2018-05-14 |
| Red Hat JBoss EAP 7.1 | RHSA-2018:2088 | 2018-06-27 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (jboss-ec2-eap) | RHSA-2018:1451 | 2018-05-14 |
| Red Hat OpenShift Application Runtimes 1.0 | RHSA-2018:1786 | 2018-06-04 |
| Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server (eap7-jackson-databind) | RHSA-2018:2090 | 2018-06-27 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server | RHSA-2018:1450 | 2018-05-14 |
| Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server (eap7-jackson-databind) | RHSA-2018:2089 | 2018-06-27 |
| Red Hat OpenShift Application Runtimes 1.0 | RHSA-2018:2938 | 2018-10-17 |
| Red Hat JBoss Enterprise Application Platform 6.4 | RHSA-2018:1447 | 2018-05-14 |
| Red Hat JBoss Fuse 6.3 | RHSA-2018:2939 | 2018-10-17 |
| Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server | RHSA-2018:1448 | 2018-05-14 |
| Platform | Package | State |
|---|---|---|
| Red Hat Virtualization 4 | eap7-jackson-databind | Affected |
| Red Hat Subscription Asset Manager 1 | jackson-databind | Will not fix |
| Red Hat Software Collections for Red Hat Enterprise Linux | rh-eclipse46-jackson-databind | Will not fix |
| Red Hat Software Collections for Red Hat Enterprise Linux | rh-maven35-jackson-databind | Affected |
| Red Hat Satellite 6 | jackson-databind | Not affected |
| Red Hat OpenShift Enterprise 2 | jackson-databind | Under investigation |
| Red Hat Mobile Application Platform On-Premise 4 | jackson-databind | Not affected |
| Red Hat JBoss Operations Network 3 | Core Server | Under investigation |
| Red Hat JBoss Fuse 7 | Camel | Affected |
| Red Hat JBoss Data Virtualization 6 | jackson-databind | Will not fix |
| Red Hat JBoss Data Grid 7 | jackson-databind | Not affected |
| Red Hat JBoss BRMS 6 | jackson-databind | Affected |
| Red Hat JBoss BPMS 6 | jackson-databind | Affected |
| Red Hat JBoss A-MQ 6 | jackson-databind | Will not fix |
Advice on how to remain safe while using JAX-RS webservices on JBoss EAP 7.x is available here:
https://access.redhat.com/solutions/3279231
https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization
Vulmon