https://bugzilla.redhat.com/show_bug.cgi?id=1775293
Bug ID: 1775293
Summary: cve jackson-databind: default typing leads to code
execution
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: darunesh(a)redhat.com
CC: aboyko(a)redhat.com, aileenc(a)redhat.com,
akoufoud(a)redhat.com, alazarot(a)redhat.com,
almorale(a)redhat.com, anstephe(a)redhat.com,
asoldano(a)redhat.com, atangrin(a)redhat.com,
ataylor(a)redhat.com, avibelli(a)redhat.com,
bbaranow(a)redhat.com, bbuckingham(a)redhat.com,
bcourt(a)redhat.com, bgeorges(a)redhat.com,
bkearney(a)redhat.com, bmaxwell(a)redhat.com,
bmontgom(a)redhat.com, brian.stansberry(a)redhat.com,
btotty(a)redhat.com, cbyrne(a)redhat.com,
cdewolf(a)redhat.com, chazlett(a)redhat.com,
cmacedo(a)redhat.com, darran.lofthouse(a)redhat.com,
decathorpe(a)gmail.com, dffrench(a)redhat.com,
dkreling(a)redhat.com, dosoudil(a)redhat.com,
drieden(a)redhat.com, drusso(a)redhat.com,
eparis(a)redhat.com, etirelli(a)redhat.com,
ganandan(a)redhat.com, ggaughan(a)redhat.com,
hhorak(a)redhat.com, hhudgeon(a)redhat.com,
ibek(a)redhat.com, iweiss(a)redhat.com,
janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jawilson(a)redhat.com, jbalunas(a)redhat.com,
jburrell(a)redhat.com, jmadigan(a)redhat.com,
jochrist(a)redhat.com, jokerman(a)redhat.com,
jorton(a)redhat.com, jpallich(a)redhat.com,
jperkins(a)redhat.com, jshepherd(a)redhat.com,
jstastny(a)redhat.com, krathod(a)redhat.com,
kverlaen(a)redhat.com, kwills(a)redhat.com,
lef(a)fedoraproject.org, lgao(a)redhat.com,
lthon(a)redhat.com, lzap(a)redhat.com,
mat.booth(a)redhat.com, mmccune(a)redhat.com,
mnovotny(a)redhat.com, msochure(a)redhat.com,
msvehla(a)redhat.com, mszynkie(a)redhat.com,
ngough(a)redhat.com, nstielau(a)redhat.com,
nwallace(a)redhat.com, paradhya(a)redhat.com,
pdrozd(a)redhat.com, pgallagh(a)redhat.com,
pmackay(a)redhat.com, psotirop(a)redhat.com,
puntogil(a)libero.it, pwright(a)redhat.com,
rchan(a)redhat.com, rguimara(a)redhat.com,
rhcs-maint(a)redhat.com, rjerrido(a)redhat.com,
rrajasek(a)redhat.com, rruss(a)redhat.com,
rsvoboda(a)redhat.com, rsynek(a)redhat.com,
sdaley(a)redhat.com, smaestri(a)redhat.com,
sokeeffe(a)redhat.com, sponnaga(a)redhat.com,
stewardship-sig(a)lists.fedoraproject.org,
sthorger(a)redhat.com, swoodman(a)redhat.com,
tbrisker(a)redhat.com, tom.jenkinson(a)redhat.com,
trepel(a)redhat.com, trogers(a)redhat.com,
twalsh(a)redhat.com
Target Milestone: ---
Classification: Other
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0
through 2.9.10. When Default Typing is enabled (either globally or for a
specific property) for an externally exposed JSON endpoint and the service has
the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker
can provide a JNDI service to access, it is possible to make the service
execute a malicious payload.
Reference:
https://github.com/FasterXML/jackson-databind/issues/2498
--
You are receiving this mail because:
You are on the CC list for the bug.