此内容没有您所选择的语言版本。

Chapter 4. Known Issues


4.1. CVE Security Vulnerabilities

As a middleware integration platform, JBoss Fuse can potentially be integrated with a large number of third-party components. It is not always possible to exclude the possibility that some third-party dependencies of JBoss Fuse could have security vulnerabilities. This section documents known security vulnerabilities affecting third-party dependencies of JBoss Fuse 6.3.
[CVE-2017-12629] Multiple CVEs related to jackson-databind security vulnerability
Applications that that use the FasterXML jackson-databind library to instantiate Java objects by deserializing JSON content are potentially vulnerable to a remote code execution attack. The vulnerability is not automatic, however, and it can be avoided if you take the appropriate mitigation steps.
At a minimum, the following prerequisites must all be satisfied before an attack becomes possible:
  1. You have enabled polymorphic type handling for deserialization of JSON content in jackson-databind. There are two alternative ways of enabling polymorphic type handling in Jackson JSON:
    1. Using a combination of the @JsonTypeInfo and @JsonSubTypes annotations.
    2. By calling the ObjectMapper.enableDefaultTyping() method. This option is particularly dangerous, as it effectively enables polymorphic typing globally.
  2. There are one or more gadget classes in your Java classpath, which have not yet been blacklisted by the current version of jackson-databind. A gadget class is defined as any class that performs a sensitive (potentially exploitable) operation as a side effect of executing a constructor or a setter method (which are the methods that can be called during a deserialization). The gadget blacklist maintained by the Jackson JSON library is the last line of defence against the remote code execution vulnerability.
It is the existence of a large number of gadget classes which explains why there are many individual CVEs related to the jackson-databind vulnerability. There are different CVEs related to different kinds of gadget class.
If you do need to use the jackson-databind library in your application, the most important measure you can take to mitigate the risk is this: avoid polymorphic type handling in Jackson JSON and on no account should you call the ObjectMapper.enableDefaultTyping() method.
[CVE-2020-11972] CVE-2020-11972 camel-rabbitmq: camel: RabbitMQ enables Java deserialization by default which could lead to remote code execution [fuse-6.3.0]
In the version of Apache Camel provided with Fuse 6.3 (which is Camel 2.17), the Camel RabbitMQ component enables java deserialization, by default, without any means of disabling which can lead to arbitrary code being executed. To avoid this security vulnerability, we recommend that you do not use the Camel RabbitMQ component in Fuse 6.3.
Red Hat logoGithubRedditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

© 2024 Red Hat, Inc.