CVE-2021-20190: SSRF
First published: Fri Jan 15 2021(Updated: )
A flaw was found in jackson-databind before 2.9.10.7 and 2.6.7.5. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jackson-databind | <2.9.10.7 | 2.9.10.7 |
| maven/com.fasterxml.jackson.core:jackson-databind | <2.6.7.5 | 2.6.7.5 |
| maven/com.fasterxml.jackson.core:jackson-databind | >=2.7.0<2.9.10.7 | 2.9.10.7 |
| FasterXML jackson-databind | <2.6.7.5 | |
| FasterXML jackson-databind | >=2.7.0<2.9.10.7 | |
| Netapp Active Iq Unified Manager Linux | ||
| Netapp Active Iq Unified Manager Windows | ||
| NetApp OnCommand API Services | ||
| NetApp OnCommand Insight | ||
| NetApp Service Level Manager | ||
| Apache NiFi | >=1.7.0<=1.12.1 | |
| Debian Debian Linux | =9.0 | |
| Oracle Commerce Guided Search And Experience Manager | =11.3.2 | |
| IBM IBM® Db2® on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data | <=v3.5 through refresh 10v4.0 through refresh 9v4.5 through refresh 3v4.6 through refresh 6v4.7 through refresh 4v4.8 through refresh 4 |
Remedy
The following conditions are needed for an exploit, we recommend avoiding all if possible: * Deserialization from sources you do not control * `enableDefaultTyping()` * `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS` * avoid javax.swing in the classpath
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-20190 https://nvd.nist.gov/vuln/detail/CVE-2021-20190 https://github.com/advisories/GHSA-5949-rw7g-wx7w
- https://bugzilla.redhat.com/show_bug.cgi?id=1916633
- https://access.redhat.com/errata/RHSA-2021:1515
- https://access.redhat.com/errata/RHSA-2021:1230
- https://access.redhat.com/security/cve/cve-2021-20190
- https://github.com/FasterXML/jackson-databind/issues/2854
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1917284
- https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a
- https://github.com/advisories/GHSA-5949-rw7g-wx7w (Advisory)
- https://nvd.nist.gov/vuln/detail/CVE-2021-20190
- https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://github.com/FasterXML/jackson-databind/commit/08fbfacf89a4a4c026a6227a1b470ab7a13e2e88
- https://security.netapp.com/advisory/ntap-20210219-0008
- https://security.netapp.com/advisory/ntap-20210219-0008/
- https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a%40%3Ccommits.nifi.apache.org%3E
- https://exchange.xforce.ibmcloud.com/vulnerabilities/195243
- https://www.ibm.com/support/pages/node/7155078 (Advisory)
Frequently Asked Questions
What is CVE-2021-20190?
CVE-2021-20190 is a vulnerability in jackson-databind that mishandles the interaction between serialization gadgets and typing, posing a threat to data confidentiality, integrity, and system availability.
How severe is CVE-2021-20190?
CVE-2021-20190 has a severity score of 8.1 (high).
Which software is affected by CVE-2021-20190?
CVE-2021-20190 affects jackson-databind versions before 2.9.10.7 and 2.6.7.5.
How can I fix CVE-2021-20190?
To fix CVE-2021-20190, update jackson-databind to version 2.9.10.7 or higher.
Where can I find more information about CVE-2021-20190?
You can find more information about CVE-2021-20190 at the following references: [CVE-2021-20190](https://www.cve.org/CVERecord?id=CVE-2021-20190), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2021-20190), [GitHub Advisory](https://github.com/advisories/GHSA-5949-rw7g-wx7w), [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=1916633), [Red Hat Security Advisory](https://access.redhat.com/errata/RHSA-2021:1515)
- collector/redhat-cve
- agent/first-publish-date
- agent/type
- agent/weakness
- agent/author
- agent/remedy
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-20190
- agent/software-canonical-lookup
- agent/event
- agent/description
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-5949-rw7g-wx7w
- collector/github-advisory
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/nvd-cve
- source/NVD
- agent/references
- agent/last-modified-date
- collector/ibm-support
- source/IBM
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- package-manager/redhat
- package-manager/maven
- vendor/fasterxml
- canonical/fasterxml jackson-databind
- version/fasterxml jackson-databind/2.7.0
- vendor/netapp
- canonical/netapp active iq unified manager linux
- canonical/netapp active iq unified manager windows
- canonical/netapp oncommand api services
- canonical/netapp oncommand insight
- canonical/netapp service level manager
- vendor/apache
- canonical/apache nifi
- version/apache nifi/1.7.0
- version/apache nifi/1.12.1
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- vendor/oracle
- canonical/oracle commerce guided search and experience manager
- version/oracle commerce guided search and experience manager/11.3.2
- vendor/ibm
- canonical/ibm ibm® db2® on cloud pak for data and db2 warehouse on cloud pak for data
- version/ibm ibm® db2® on cloud pak for data and db2 warehouse on cloud pak for data/v3.5 through refresh 10v4.0 through refresh 9v4.5 through refresh 3v4.6 through refresh 6v4.7 through refresh 4v4.8 through refresh 4