—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: OpenShift Container Platform logging-elasticsearch5-container security update
Advisory ID: RHSA-2019:3149-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2019:3149
Issue date: 2019-10-18
CVE Names: CVE-2017-7525 CVE-2017-15095 CVE-2017-17485
CVE-2018-5968 CVE-2018-7489 CVE-2018-10237
CVE-2018-11307 CVE-2018-12022 CVE-2018-12023
CVE-2018-14718 CVE-2018-14719 CVE-2018-14720
CVE-2018-14721 CVE-2018-19360 CVE-2018-19361
CVE-2018-19362 CVE-2019-12086 CVE-2019-12384
CVE-2019-12814 CVE-2019-14379
=====================================================================

1. Summary:

An update for logging-elasticsearch5-container is now available for Red Hat
OpenShift Container Platform 3.11.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat’s cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains an update for jackson-databind in the
logging-elasticsearch5 container image for Red Hat OpenShift Container
Platform 3.11.153.

Security Fix(es):

* jackson-databind: Deserialization vulnerability via readValue method of
ObjectMapper (CVE-2017-7525)

* jackson-databind: Unsafe deserialization due to incomplete black list
(incomplete fix for CVE-2017-7525) (CVE-2017-15095)

* jackson-databind: Unsafe deserialization due to incomplete black list
(incomplete fix for CVE-2017-15095) (CVE-2017-17485)

* jackson-databind: Potential information exfiltration with default typing,
serialization gadget from MyBatis (CVE-2018-11307)

* jackson-databind: improper polymorphic deserialization of types from
Jodd-db library (CVE-2018-12022)

* jackson-databind: improper polymorphic deserialization of types from
Oracle JDBC driver (CVE-2018-12023)

* jackson-databind: arbitrary code execution in slf4j-ext class
(CVE-2018-14718)

* jackson-databind: arbitrary code execution in blaze-ds-opt and
blaze-ds-core classes (CVE-2018-14719)

* jackson-databind: improper polymorphic deserialization in
axis2-transport-jms class (CVE-2018-19360)

* jackson-databind: improper polymorphic deserialization in openjpa class
(CVE-2018-19361)

* jackson-databind: improper polymorphic deserialization in
jboss-common-core class (CVE-2018-19362)

* jackson-databind: failure to block the logback-core class from
polymorphic deserialization leading to remote code execution
(CVE-2019-12384)

* jackson-databind: default typing mishandling leading to remote code
execution (CVE-2019-14379)

* jackson-databind: unsafe deserialization due to incomplete blacklist
(incomplete fix for CVE-2017-7525 and CVE-2017-17485) (CVE-2018-5968)

* jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe
serialization via c3p0 libraries (CVE-2018-7489)

* guava: Unbounded memory allocation in AtomicDoubleArray and
CompoundOrdering classes allow remote attackers to cause a denial of
service (CVE-2018-10237)

* jackson-databind: exfiltration/XXE in some JDK classes (CVE-2018-14720)

* jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class
(CVE-2018-14721)

* jackson-databind: polymorphic typing issue allows attacker to read
arbitrary local files on the server. (CVE-2019-12086)

* jackson-databind: polymorphic typing issue allows attacker to read
arbitrary local files on the server via crafted JSON message.
(CVE-2019-12814)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

See the following documentation, which will be updated shortly for this
release, for important instructions on how to upgrade your cluster and
fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_r
elease_notes.html

4. Bugs fixed (https://bugzilla.redhat.com/):

1462702 – CVE-2017-7525 jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper
1506612 – CVE-2017-15095 jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525)
1528565 – CVE-2017-17485 jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095)
1538332 – CVE-2018-5968 jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and CVE-2017-17485)
1549276 – CVE-2018-7489 jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries
1573391 – CVE-2018-10237 guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service
1666415 – CVE-2018-14718 jackson-databind: arbitrary code execution in slf4j-ext class
1666418 – CVE-2018-14719 jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes
1666423 – CVE-2018-14720 jackson-databind: exfiltration/XXE in some JDK classes
1666428 – CVE-2018-14721 jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class
1666482 – CVE-2018-19360 jackson-databind: improper polymorphic deserialization in axis2-transport-jms class
1666484 – CVE-2018-19361 jackson-databind: improper polymorphic deserialization in openjpa class
1666489 – CVE-2018-19362 jackson-databind: improper polymorphic deserialization in jboss-common-core class
1671096 – CVE-2018-12023 jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver
1671097 – CVE-2018-12022 jackson-databind: improper polymorphic deserialization of types from Jodd-db library
1677341 – CVE-2018-11307 jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis
1713468 – CVE-2019-12086 jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server.
1725795 – CVE-2019-12814 jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server via crafted JSON message.
1725807 – CVE-2019-12384 jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution
1737517 – CVE-2019-14379 jackson-databind: default typing mishandling leading to remote code execution

5. References:

https://access.redhat.com/security/cve/CVE-2017-7525
https://access.redhat.com/security/cve/CVE-2017-15095
https://access.redhat.com/security/cve/CVE-2017-17485
https://access.redhat.com/security/cve/CVE-2018-5968
https://access.redhat.com/security/cve/CVE-2018-7489
https://access.redhat.com/security/cve/CVE-2018-10237
https://access.redhat.com/security/cve/CVE-2018-11307
https://access.redhat.com/security/cve/CVE-2018-12022
https://access.redhat.com/security/cve/CVE-2018-12023
https://access.redhat.com/security/cve/CVE-2018-14718
https://access.redhat.com/security/cve/CVE-2018-14719
https://access.redhat.com/security/cve/CVE-2018-14720
https://access.redhat.com/security/cve/CVE-2018-14721
https://access.redhat.com/security/cve/CVE-2018-19360
https://access.redhat.com/security/cve/CVE-2018-19361
https://access.redhat.com/security/cve/CVE-2018-19362
https://access.redhat.com/security/cve/CVE-2019-12086
https://access.redhat.com/security/cve/CVE-2019-12384
https://access.redhat.com/security/cve/CVE-2019-12814
https://access.redhat.com/security/cve/CVE-2019-14379
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIVAwUBXaoYI9zjgjWX9erEAQj/Fg/+ODHxxpzww4u9UjUNO4XQWe+v9zAzdMmv
haPdmEGp4X9wQbAerbu6uERE8yrox+N3VN84dAgmKoim76Y5zMwad9o2LJF7c9rw
KlcPP7zsQ5bKTLi17e/sGUimNcKO83sKcEivqAlw3VzeH3nSigjq3FpF4zgASarf
NV1EnBBYoCt2wuLaiCjRN4V5xe3DlQ8Np9Cptp5OcSlvavdN5NMGLxNjleCBW4OP
LH+QiOf48BOyH39KZLkmh+8LG69Ig64Wvcf26JnlhNLpK92iACjtK/XM3vy7SBwd
sTpKZQNHGd1eMd5pCx0+UmoLAzO+W9C9yeb5mUvQrCWQArZ4mTR5uiUy8hSoY2XL
DBHBqJm04ECKjrAMYu1GAb938aBLsUjZ3ltPLj9cXi0cqI6HxDyvWMu/IUjiemt5
5VM+AZ3lR44esY7528BhjQFrYHJfIQn28ovCktHo1ZMaEk2bwqy6VgY1ywf5xT7Q
JLzo02/cS9tawtaIJiCzKYYIdyW+dw6OvDZyFoyNcDpyPL2YwVnS5CQTm6OJI6Dy
Opdn59EYbXeK0Vk4ttBOFbIvpWXmg3oFkpgkwmzdyeREPsyxe7mrEZOVZH0BKc3R
BcW9U/ilaNvQJzX8dXBSwNJysNnnVg5l1VVKH5jpwLQ1jkWrDQBWT2rhEg4g7/9c
X6iG41oXhxM=
=cwZr
—–END PGP SIGNATURE—–

—
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce