what you don't know can hurt you

Red Hat Security Advisory 2019-3149-01

Red Hat Security Advisory 2019-3149-01
Posted Oct 19, 2019
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2019-3149-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains an update for jackson-databind in the logging-elasticsearch5 container image for Red Hat OpenShift Container Platform 3.11.153. Issues addressed include code execution, denial of service, and deserialization vulnerabilities.

tags | advisory, denial of service, vulnerability, code execution
systems | linux, redhat
advisories | CVE-2017-15095, CVE-2017-17485, CVE-2017-7525, CVE-2018-10237, CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362, CVE-2018-5968, CVE-2018-7489, CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379
SHA-256 | 5b5749c71d52c3690eb137ec23b207f4283a94baacb4c994ead4402f6eddba76

Red Hat Security Advisory 2019-3149-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================
Red Hat Security Advisory

Synopsis: Important: OpenShift Container Platform logging-elasticsearch5-container security update
Advisory ID: RHSA-2019:3149-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2019:3149
Issue date: 2019-10-18
CVE Names: CVE-2017-7525 CVE-2017-15095 CVE-2017-17485
CVE-2018-5968 CVE-2018-7489 CVE-2018-10237
CVE-2018-11307 CVE-2018-12022 CVE-2018-12023
CVE-2018-14718 CVE-2018-14719 CVE-2018-14720
CVE-2018-14721 CVE-2018-19360 CVE-2018-19361
CVE-2018-19362 CVE-2019-12086 CVE-2019-12384
CVE-2019-12814 CVE-2019-14379
====================================================================
1. Summary:

An update for logging-elasticsearch5-container is now available for Red Hat
OpenShift Container Platform 3.11.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains an update for jackson-databind in the
logging-elasticsearch5 container image for Red Hat OpenShift Container
Platform 3.11.153.

Security Fix(es):

* jackson-databind: Deserialization vulnerability via readValue method of
ObjectMapper (CVE-2017-7525)

* jackson-databind: Unsafe deserialization due to incomplete black list
(incomplete fix for CVE-2017-7525) (CVE-2017-15095)

* jackson-databind: Unsafe deserialization due to incomplete black list
(incomplete fix for CVE-2017-15095) (CVE-2017-17485)

* jackson-databind: Potential information exfiltration with default typing,
serialization gadget from MyBatis (CVE-2018-11307)

* jackson-databind: improper polymorphic deserialization of types from
Jodd-db library (CVE-2018-12022)

* jackson-databind: improper polymorphic deserialization of types from
Oracle JDBC driver (CVE-2018-12023)

* jackson-databind: arbitrary code execution in slf4j-ext class
(CVE-2018-14718)

* jackson-databind: arbitrary code execution in blaze-ds-opt and
blaze-ds-core classes (CVE-2018-14719)

* jackson-databind: improper polymorphic deserialization in
axis2-transport-jms class (CVE-2018-19360)

* jackson-databind: improper polymorphic deserialization in openjpa class
(CVE-2018-19361)

* jackson-databind: improper polymorphic deserialization in
jboss-common-core class (CVE-2018-19362)

* jackson-databind: failure to block the logback-core class from
polymorphic deserialization leading to remote code execution
(CVE-2019-12384)

* jackson-databind: default typing mishandling leading to remote code
execution (CVE-2019-14379)

* jackson-databind: unsafe deserialization due to incomplete blacklist
(incomplete fix for CVE-2017-7525 and CVE-2017-17485) (CVE-2018-5968)

* jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe
serialization via c3p0 libraries (CVE-2018-7489)

* guava: Unbounded memory allocation in AtomicDoubleArray and
CompoundOrdering classes allow remote attackers to cause a denial of
service (CVE-2018-10237)

* jackson-databind: exfiltration/XXE in some JDK classes (CVE-2018-14720)

* jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class
(CVE-2018-14721)

* jackson-databind: polymorphic typing issue allows attacker to read
arbitrary local files on the server. (CVE-2019-12086)

* jackson-databind: polymorphic typing issue allows attacker to read
arbitrary local files on the server via crafted JSON message.
(CVE-2019-12814)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

See the following documentation, which will be updated shortly for this
release, for important instructions on how to upgrade your cluster and
fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_r
elease_notes.html

4. Bugs fixed (https://bugzilla.redhat.com/):

1462702 - CVE-2017-7525 jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper
1506612 - CVE-2017-15095 jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525)
1528565 - CVE-2017-17485 jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095)
1538332 - CVE-2018-5968 jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and CVE-2017-17485)
1549276 - CVE-2018-7489 jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries
1573391 - CVE-2018-10237 guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service
1666415 - CVE-2018-14718 jackson-databind: arbitrary code execution in slf4j-ext class
1666418 - CVE-2018-14719 jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes
1666423 - CVE-2018-14720 jackson-databind: exfiltration/XXE in some JDK classes
1666428 - CVE-2018-14721 jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class
1666482 - CVE-2018-19360 jackson-databind: improper polymorphic deserialization in axis2-transport-jms class
1666484 - CVE-2018-19361 jackson-databind: improper polymorphic deserialization in openjpa class
1666489 - CVE-2018-19362 jackson-databind: improper polymorphic deserialization in jboss-common-core class
1671096 - CVE-2018-12023 jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver
1671097 - CVE-2018-12022 jackson-databind: improper polymorphic deserialization of types from Jodd-db library
1677341 - CVE-2018-11307 jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis
1713468 - CVE-2019-12086 jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server.
1725795 - CVE-2019-12814 jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server via crafted JSON message.
1725807 - CVE-2019-12384 jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution
1737517 - CVE-2019-14379 jackson-databind: default typing mishandling leading to remote code execution

5. References:

https://access.redhat.com/security/cve/CVE-2017-7525
https://access.redhat.com/security/cve/CVE-2017-15095
https://access.redhat.com/security/cve/CVE-2017-17485
https://access.redhat.com/security/cve/CVE-2018-5968
https://access.redhat.com/security/cve/CVE-2018-7489
https://access.redhat.com/security/cve/CVE-2018-10237
https://access.redhat.com/security/cve/CVE-2018-11307
https://access.redhat.com/security/cve/CVE-2018-12022
https://access.redhat.com/security/cve/CVE-2018-12023
https://access.redhat.com/security/cve/CVE-2018-14718
https://access.redhat.com/security/cve/CVE-2018-14719
https://access.redhat.com/security/cve/CVE-2018-14720
https://access.redhat.com/security/cve/CVE-2018-14721
https://access.redhat.com/security/cve/CVE-2018-19360
https://access.redhat.com/security/cve/CVE-2018-19361
https://access.redhat.com/security/cve/CVE-2018-19362
https://access.redhat.com/security/cve/CVE-2019-12086
https://access.redhat.com/security/cve/CVE-2019-12384
https://access.redhat.com/security/cve/CVE-2019-12814
https://access.redhat.com/security/cve/CVE-2019-14379
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXaoYI9zjgjWX9erEAQj/Fg/+ODHxxpzww4u9UjUNO4XQWe+v9zAzdMmv
haPdmEGp4X9wQbAerbu6uERE8yrox+N3VN84dAgmKoim76Y5zMwad9o2LJF7c9rw
KlcPP7zsQ5bKTLi17e/sGUimNcKO83sKcEivqAlw3VzeH3nSigjq3FpF4zgASarf
NV1EnBBYoCt2wuLaiCjRN4V5xe3DlQ8Np9Cptp5OcSlvavdN5NMGLxNjleCBW4OP
LH+QiOf48BOyH39KZLkmh+8LG69Ig64Wvcf26JnlhNLpK92iACjtK/XM3vy7SBwd
sTpKZQNHGd1eMd5pCx0+UmoLAzO+W9C9yeb5mUvQrCWQArZ4mTR5uiUy8hSoY2XL
DBHBqJm04ECKjrAMYu1GAb938aBLsUjZ3ltPLj9cXi0cqI6HxDyvWMu/IUjiemt5
5VM+AZ3lR44esY7528BhjQFrYHJfIQn28ovCktHo1ZMaEk2bwqy6VgY1ywf5xT7Q
JLzo02/cS9tawtaIJiCzKYYIdyW+dw6OvDZyFoyNcDpyPL2YwVnS5CQTm6OJI6Dy
Opdn59EYbXeK0Vk4ttBOFbIvpWXmg3oFkpgkwmzdyeREPsyxe7mrEZOVZH0BKc3R
BcW9U/ilaNvQJzX8dXBSwNJysNnnVg5l1VVKH5jpwLQ1jkWrDQBWT2rhEg4g7/9c
X6iG41oXhxM=cwZr
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close