Executive Summary

Summary
Title OpenShift Container Platform logging-elasticsearch5-container security update
Informations
Name RHSA-2019:3149 First vendor Publication 2019-10-18
Vendor RedHat Last vendor Modification 2019-10-18
Severity (Vendor) N/A Revision 01

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 7.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

An update for logging-elasticsearch5-container is now available for Red Hat OpenShift Container Platform 3.11.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains an update for jackson-databind in the logging-elasticsearch5 container image for Red Hat OpenShift Container Platform 3.11.153.

Security Fix(es):

* jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper (CVE-2017-7525)

* jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) (CVE-2017-15095)

* jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485)

* jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis (CVE-2018-11307)

* jackson-databind: improper polymorphic deserialization of types from Jodd-db library (CVE-2018-12022)

* jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver (CVE-2018-12023)

* jackson-databind: arbitrary code execution in slf4j-ext class (CVE-2018-14718)

* jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes (CVE-2018-14719)

* jackson-databind: improper polymorphic deserialization in axis2-transport-jms class (CVE-2018-19360)

* jackson-databind: improper polymorphic deserialization in openjpa class (CVE-2018-19361)

* jackson-databind: improper polymorphic deserialization in jboss-common-core class (CVE-2018-19362)

* jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution (CVE-2019-12384)

* jackson-databind: default typing mishandling leading to remote code execution (CVE-2019-14379)

* jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and CVE-2017-17485) (CVE-2018-5968)

* jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries (CVE-2018-7489)

* guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service (CVE-2018-10237)

* jackson-databind: exfiltration/XXE in some JDK classes (CVE-2018-14720)

* jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class (CVE-2018-14721)

* jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server. (CVE-2019-12086)

* jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server via crafted JSON message. (CVE-2019-12814)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

3. Solution:

See the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_r elease_notes.html

4. Bugs fixed (https://bugzilla.redhat.com/):

1462702 - CVE-2017-7525 jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper 1506612 - CVE-2017-15095 jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) 1528565 - CVE-2017-17485 jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) 1538332 - CVE-2018-5968 jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and CVE-2017-17485) 1549276 - CVE-2018-7489 jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries 1573391 - CVE-2018-10237 guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service 1666415 - CVE-2018-14718 jackson-databind: arbitrary code execution in slf4j-ext class 1666418 - CVE-2018-14719 jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes 1666423 - CVE-2018-14720 jackson-databind: exfiltration/XXE in some JDK classes 1666428 - CVE-2018-14721 jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class 1666482 - CVE-2018-19360 jackson-databind: improper polymorphic deserialization in axis2-transport-jms class 1666484 - CVE-2018-19361 jackson-databind: improper polymorphic deserialization in openjpa class 1666489 - CVE-2018-19362 jackson-databind: improper polymorphic deserialization in jboss-common-core class 1671096 - CVE-2018-12023 jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver 1671097 - CVE-2018-12022 jackson-databind: improper polymorphic deserialization of types from Jodd-db library 1677341 - CVE-2018-11307 jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis 1713468 - CVE-2019-12086 jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server. 1725795 - CVE-2019-12814 jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server via crafted JSON message. 1725807 - CVE-2019-12384 jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution 1737517 - CVE-2019-14379 jackson-databind: default typing mishandling leading to remote code execution

5. References:

https://access.redhat.com/security/cve/CVE-2017-7525 https://access.redhat.com/security/cve/CVE-2017-15095 https://access.redhat.com/security/cve/CVE-2017-17485 https://access.redhat.com/security/cve/CVE-2018-5968 https://access.redhat.com/security/cve/CVE-2018-7489 https://access.redhat.com/security/cve/CVE-2018-10237 https://access.redhat.com/security/cve/CVE-2018-11307 https://access.redhat.com/security/cve/CVE-2018-12022 https://access.redhat.com/security/cve/CVE-2018-12023 https://access.redhat.com/security/cve/CVE-2018-14718 https://access.redhat.com/security/cve/CVE-2018-14719 https://access.redhat.com/security/cve/CVE-2018-14720 https://access.redhat.com/security/cve/CVE-2018-14721 https://access.redhat.com/security/cve/CVE-2018-19360 https://access.redhat.com/security/cve/CVE-2018-19361 https://access.redhat.com/security/cve/CVE-2018-19362 https://access.redhat.com/security/cve/CVE-2019-12086 https://access.redhat.com/security/cve/CVE-2019-12384 https://access.redhat.com/security/cve/CVE-2019-12814 https://access.redhat.com/security/cve/CVE-2019-14379 https://access.redhat.com/security/updates/classification/#important

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2019-3149.html

CWE : Common Weakness Enumeration

% Id Name
80 % CWE-502 Deserialization of Untrusted Data
10 % CWE-184 Incomplete Blacklist
5 % CWE-770 Allocation of Resources Without Limits or Throttling
5 % CWE-611 Information Leak Through XML External Entity File Disclosure

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 31
Application 15
Application 1
Application 3
Application 18
Application 1
Application 1
Application 2
Application 1
Application 1
Application 1
Application 1
Application 2
Application 7
Application 8
Application 2
Application 1
Application 2
Application 2
Application 6
Application 3
Application 2
Application 1
Application 6
Application 3
Application 21
Application 5
Application 2
Application 2
Application 1
Application 1
Application 2
Application 1
Application 1
Application 2
Application 2
Application 4
Application 15
Application 31
Application 1
Application 2
Application 2
Application 1
Application 5
Application 12
Application 1
Application 1
Application 1
Application 1
Application 1
Application 1
Application 1
Application 3
Application 25
Application 1
Application 1
Application 1
Application 1
Application 1
Application 1
Os 2
Os 3
Os 5

Snort® IPS/IDS

Date Description
2019-09-24 FasterXML Jackson Databind unsafe deserialization attempt
RuleID : 51146 - Revision : 1 - Type : SERVER-WEBAPP
2018-04-03 Jackson databind deserialization remote code execution attempt
RuleID : 45779 - Revision : 1 - Type : SERVER-OTHER
2018-04-03 Jackson databind deserialization remote code execution attempt
RuleID : 45778 - Revision : 1 - Type : SERVER-OTHER
2017-12-29 Jackson databind deserialization remote code execution attempt
RuleID : 45016 - Revision : 3 - Type : FILE-OTHER
2017-12-29 Jackson databind deserialization remote code execution attempt
RuleID : 45015 - Revision : 3 - Type : FILE-OTHER
2017-12-29 Jackson databind deserialization remote code execution attempt
RuleID : 45014 - Revision : 3 - Type : FILE-OTHER
2017-12-29 Jackson databind deserialization remote code execution attempt
RuleID : 45013 - Revision : 3 - Type : FILE-OTHER
2017-12-29 Jackson databind deserialization remote code execution attempt
RuleID : 45012 - Revision : 4 - Type : FILE-OTHER
2017-12-29 Jackson databind deserialization remote code execution attempt
RuleID : 45011 - Revision : 3 - Type : FILE-OTHER
2017-12-29 Jackson databind deserialization remote code execution attempt
RuleID : 45010 - Revision : 3 - Type : FILE-OTHER
2017-12-29 Jackson databind deserialization remote code execution attempt
RuleID : 45009 - Revision : 3 - Type : FILE-OTHER
2017-12-29 Jackson databind deserialization remote code execution attempt
RuleID : 45008 - Revision : 3 - Type : FILE-OTHER
2017-12-29 Jackson databind deserialization remote code execution attempt
RuleID : 45007 - Revision : 3 - Type : FILE-OTHER
2017-12-29 Jackson databind deserialization remote code execution attempt
RuleID : 45006 - Revision : 4 - Type : FILE-OTHER
2017-12-29 Jackson databind deserialization remote code execution attempt
RuleID : 45005 - Revision : 4 - Type : FILE-OTHER
2017-12-29 Jackson databind deserialization remote code execution attempt
RuleID : 45004 - Revision : 3 - Type : FILE-OTHER
2017-12-29 Jackson databind deserialization remote code execution attempt
RuleID : 45003 - Revision : 3 - Type : FILE-OTHER
2017-12-29 Jackson databind deserialization remote code execution attempt
RuleID : 45002 - Revision : 3 - Type : FILE-OTHER

Nessus® Vulnerability Scanner

Date Description
2019-01-03 Name : The remote Fedora host is missing a security update.
File : fedora_2018-bf292e6cdf.nasl - Type : ACT_GATHER_INFO
2019-01-03 Name : The remote Fedora host is missing a security update.
File : fedora_2018-633acf0ed6.nasl - Type : ACT_GATHER_INFO
2019-01-03 Name : The remote Fedora host is missing a security update.
File : fedora_2018-54a5bcc7e4.nasl - Type : ACT_GATHER_INFO
2018-11-29 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_93f8e0fff33d11e8be460019dbb15b3f.nasl - Type : ACT_GATHER_INFO
2018-08-30 Name : A web application running on the remote host is affected by multiple vulnerab...
File : activemq_5_15_5.nasl - Type : ACT_GATHER_INFO
2018-05-21 Name : The remote Fedora host is missing a security update.
File : fedora_2018-e4c2507720.nasl - Type : ACT_GATHER_INFO
2018-05-15 Name : The remote Fedora host is missing a security update.
File : fedora_2018-db8f322bb0.nasl - Type : ACT_GATHER_INFO
2018-05-04 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-4190.nasl - Type : ACT_GATHER_INFO
2018-02-16 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-4114.nasl - Type : ACT_GATHER_INFO
2018-01-15 Name : The remote Fedora host is missing a security update.
File : fedora_2017-4a071ecbc7.nasl - Type : ACT_GATHER_INFO
2017-12-15 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2017-3455.nasl - Type : ACT_GATHER_INFO
2017-12-15 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2017-3454.nasl - Type : ACT_GATHER_INFO
2017-12-14 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2017-3458.nasl - Type : ACT_GATHER_INFO
2017-12-04 Name : A web application running on the remote host uses a Java framework that is af...
File : struts_2_5_14_1.nasl - Type : ACT_GATHER_INFO
2017-11-17 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-4037.nasl - Type : ACT_GATHER_INFO
2017-11-16 Name : The remote Fedora host is missing a security update.
File : fedora_2017-e16ed3f7a1.nasl - Type : ACT_GATHER_INFO
2017-11-14 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2017-3189.nasl - Type : ACT_GATHER_INFO
2017-11-10 Name : The remote Red Hat host is missing a security update.
File : redhat-RHSA-2017-3141.nasl - Type : ACT_GATHER_INFO
2017-10-23 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-4004.nasl - Type : ACT_GATHER_INFO
2017-09-08 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2017-2638.nasl - Type : ACT_GATHER_INFO
2017-09-08 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2017-2637.nasl - Type : ACT_GATHER_INFO
2017-09-08 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2017-2636.nasl - Type : ACT_GATHER_INFO
2017-09-08 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2017-2635.nasl - Type : ACT_GATHER_INFO
2017-08-14 Name : The remote Fedora host is missing a security update.
File : fedora_2017-f452765e1e.nasl - Type : ACT_GATHER_INFO
2017-08-14 Name : The remote Fedora host is missing a security update.
File : fedora_2017-6a75c816fa.nasl - Type : ACT_GATHER_INFO
2017-08-11 Name : The remote Fedora host is missing a security update.
File : fedora_2017-8df9efed5f.nasl - Type : ACT_GATHER_INFO
2017-08-03 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2017-1834.nasl - Type : ACT_GATHER_INFO
2017-08-03 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2017-1837.nasl - Type : ACT_GATHER_INFO
2017-08-03 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2017-1835.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2020-03-19 13:19:24
  • First insertion