Chapter 4. Known Issues
4.1. CVE Security Vulnerabilities
As a middleware integration platform, JBoss Fuse can potentially be integrated with a large number of third-party components. It is not always possible to exclude the possibility that some third-party dependencies of JBoss Fuse could have security vulnerabilities. This section documents known security vulnerabilities affecting third-party dependencies of JBoss Fuse 6.3.
- [CVE-2017-12629] Multiple CVEs related to jackson-databind security vulnerability
- Applications that that use the FasterXML
jackson-databind
library to instantiate Java objects by deserializing JSON content are potentially vulnerable to a remote code execution attack. The vulnerability is not automatic, however, and it can be avoided if you take the appropriate mitigation steps.At a minimum, the following prerequisites must all be satisfied before an attack becomes possible:- You have enabled polymorphic type handling for deserialization of JSON content in
jackson-databind
. There are two alternative ways of enabling polymorphic type handling in Jackson JSON:- Using a combination of the
@JsonTypeInfo
and@JsonSubTypes
annotations. - By calling the
ObjectMapper.enableDefaultTyping()
method. This option is particularly dangerous, as it effectively enables polymorphic typing globally.
- There are one or more gadget classes in your Java classpath, which have not yet been blacklisted by the current version of
jackson-databind
. A gadget class is defined as any class that performs a sensitive (potentially exploitable) operation as a side effect of executing a constructor or a setter method (which are the methods that can be called during a deserialization). The gadget blacklist maintained by the Jackson JSON library is the last line of defence against the remote code execution vulnerability.
It is the existence of a large number of gadget classes which explains why there are many individual CVEs related to thejackson-databind
vulnerability. There are different CVEs related to different kinds of gadget class.If you do need to use thejackson-databind
library in your application, the most important measure you can take to mitigate the risk is this: avoid polymorphic type handling in Jackson JSON and on no account should you call theObjectMapper.enableDefaultTyping()
method. - [CVE-2020-11972] CVE-2020-11972 camel-rabbitmq: camel: RabbitMQ enables Java deserialization by default which could lead to remote code execution [fuse-6.3.0]
- In the version of Apache Camel provided with Fuse 6.3 (which is Camel 2.17), the Camel RabbitMQ component enables java deserialization, by default, without any means of disabling which can lead to arbitrary code being executed. To avoid this security vulnerability, we recommend that you do not use the Camel RabbitMQ component in Fuse 6.3.