Bug 1165044 (CVE-2019-17267)

Summary:	VUL-0: CVE-2019-17267: jackson-databind: Serialization gadgets in classes of the ehcache package
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Alexandros Toptsoglou <atoptsoglou>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Major
Priority:	P5 - None	CC:	smash_bz
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/244258/
Whiteboard:	CVSSv3.1:SUSE:CVE-2019-17267:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Alexandros Toptsoglou 2020-02-26 16:57:08 UTC

rh#1758167

A flaw was found in jackson-databind before 2.9.10. New serialization gadgets were found regarding a class of the ehcache package which may help in exploiting deserialization issues.

Upstream issue:

https://github.com/FasterXML/jackson-databind/issues/2460

Upstream patch:

https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2ddddb77edd895ee756b7f75eb

References:

https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17267
https://access.redhat.com/errata/RHSA-2020:0445
https://access.redhat.com/errata/RHSA-2019:3200
https://access.redhat.com/errata/RHSA-2020:0161
https://access.redhat.com/errata/RHSA-2020:0159
https://access.redhat.com/errata/RHSA-2020:0160
https://access.redhat.com/errata/RHSA-2020:0164
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17267.html
http://www.cvedetails.com/cve/CVE-2019-17267/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17267
https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.3...jackson-databind-2.9.10
https://github.com/FasterXML/jackson-databind/issues/2460
https://security.netapp.com/advisory/ntap-20191017-0006/

Comment 1 Alexandros Toptsoglou 2020-02-26 16:57:35 UTC

Both Factory and SLE15-SP2 are not affected, since the version that we ship already contains the fix. Closing.