FasterXML Jackson-databind is prone to multiple remote-code execution vulnerabilities.
Successfully exploiting these issues allow attackers to execute arbitrary code in the context of the affected application. Failed exploits will result in denial-of-service conditions.
Jackson-databind 2x through 2.9.8 are vulnerable.
Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.
Solution:
Updates are available. Please see the references or vendor advisory for more information.
| Bugtraq ID: | 107985 |
| Class: | Design Error |
| CVE: | CVE-2018-19360 CVE-2018-19361 CVE-2018-19362 |
| Remote: | Yes |
| Local: | No |
| Published: | Jan 02 2019 12:00AM |
| Updated: | Jul 17 2019 07:00AM |
| Credit: | Wuguixiong. |
| Vulnerable: | Redhat Software Collections for RHEL 0 Redhat OpenStack Platform 8.0 (Liberty) Redhat OpenStack Platform 14.0 (Rocky) Redhat OpenStack Platform 13.0 (Queens) Redhat OpenStack Platform 10 Redhat JBoss Fuse 7.0 Redhat JBoss EAP 7 0 Oracle WebCenter Portal 12.2.1.3.0 Oracle Retail Xstore Point of Service 7.1 Oracle Retail Xstore Point of Service 7.0 Oracle Retail Xstore Point of Service 18.0 Oracle Retail Xstore Point of Service 17.0 Oracle Retail Xstore Point of Service 16.0 Oracle Retail Xstore Point of Service 15.0 Oracle Retail Workforce Management Software 1.60.9.0.0 Oracle Retail Customer Management and Segmentation Foundation 18.0 Oracle Retail Customer Management and Segmentation Foundation 17.0 Oracle Retail Customer Management and Segmentation Foundation 16.0 Oracle Primavera Unifier 18.8 Oracle Primavera Unifier 17.7 Oracle Primavera Unifier 17.12 Oracle Primavera Unifier 16.2 Oracle Primavera Unifier 16.1 Oracle Primavera P6 Enterprise Project Portfolio Management 18.8 Oracle Primavera P6 Enterprise Project Portfolio Management 17.7 Oracle Primavera P6 Enterprise Project Portfolio Management 17.12 Oracle Primavera P6 Enterprise Project Portfolio Management 16.2 Oracle Primavera P6 Enterprise Project Portfolio Management 16.1 Oracle Primavera P6 Enterprise Project Portfolio Management 15.2 Oracle Primavera P6 Enterprise Project Portfolio Management 15.1 Oracle Primavera Gateway 18.8 Oracle Primavera Gateway 17.12 Oracle Primavera Gateway 16.2 Oracle Primavera Gateway 15.2 Oracle JD Edwards EnterpriseOne Tools 9.2 Oracle Insurance Performance Insight 8.0.7 Oracle Insurance Allocation Manager for Enterprise Profitability 8.0.8 Oracle Financial Services Retail Customer Analytics 8.0.6 Oracle Financial Services Retail Customer Analytics 8.0.5 Oracle Financial Services Retail Customer Analytics 8.0.4 Oracle Financial Services Profitability Management 8.0.7 Oracle Financial Services Profitability Management 8.0.6 Oracle Financial Services Profitability Management 8.0.5 Oracle Financial Services Profitability Management 8.0.4 Oracle Financial Services Price Creation and Discovery 8.0.7 Oracle Financial Services Price Creation and Discovery 8.0.5 Oracle Financial Services Price Creation and Discovery 8.0.4 Oracle Financial Services Institutional Performance Analytics 8.0.7 Oracle Financial Services Institutional Performance Analytics 8.0.5 Oracle Financial Services Institutional Performance Analytics 8.0.4 Oracle Financial Services Funds Transfer Pricing 8.0.7 Oracle Financial Services Analytical Applications Infrastructure 8.0.8 Oracle Financial Services Analytical Applications Infrastructure 8.0.7 Oracle Financial Services Analytical Applications Infrastructure 8.0.6 Oracle Financial Services Analytical Applications Infrastructure 8.0.5 Oracle Financial Services Analytical Applications Infrastructure 8.0.4 Oracle Financial Services Analytical Applications Infrastructure 8.0.3 Oracle Financial Services Analytical Applications Infrastructure 8.0.2 Oracle Enterprise Manager for Virtualization 13.3 Oracle Enterprise Manager for Virtualization 13.2 Oracle Enterprise Manager for Virtualization 13.1 Oracle Communications Unified 8.0.0.2.0 Oracle Business Process Management Suite 12.2.1.3.0 Oracle Business Process Management Suite 12.1.3.0.0 Oracle Banking Platform 2.7.1 Oracle Banking Platform 2.6.2 Oracle Banking Platform 2.6.1 Oracle Banking Platform 2.6 Oracle Banking Platform 2.6 Oracle Banking Platform 2.5.0 Oracle Banking Platform 2.5 Oracle Banking Platform 2.4.1 Oracle Banking Platform 2.4.0 FasterXML jackson-databind 2.9.7 FasterXML jackson-databind 2.9.6 FasterXML jackson-databind 2.9.5 FasterXML jackson-databind 2.9.4 FasterXML jackson-databind 2.9.2 FasterXML jackson-databind 2.9.1 FasterXML jackson-databind 2.9 FasterXML jackson-databind 2.8.11 FasterXML jackson-databind 2.8.10 FasterXML jackson-databind 2.8.9 FasterXML jackson-databind 2.8.8 FasterXML jackson-databind 2.8.7 FasterXML jackson-databind 2.8.8.1 FasterXML jackson-databind 2.8.11.2 FasterXML jackson-databind 2.8.11.1 FasterXML jackson-databind 2.7.9.4 FasterXML jackson-databind 2.7.9.3 FasterXML jackson-databind 2.7.9.1 FasterXML jackson-databind 2.6.7.1 |
| Not Vulnerable: | FasterXML jackson-databind 2.9.8 |
References:
- Block more classes from polymorphic deserialization (CVE-2018-19360, CVE-2018-19 (GitHub)
- Bump Jackson Databind 2.9.8 (Apache)
- Jackson Release 2.9.8 (Github)
- massakam opened a new pull request #3938: Upgrade third party libraries with sec (Apache)
- massakam opened pull request #3938: Upgrade third party libraries with security (Apache)
- one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - (Apache)
- CVE-2018-19360 jackson-databind: improper polymorphic deserialization in axis2-t (Redhat)
- CVE-2018-19361 jackson-databind: improper polymorphic deserialization in openjpa (Redhat)
- CVE-2018-19362 jackson-databind: improper polymorphic deserialization in jboss-c (Redhat)
- Oracle Critical Patch Update Advisory - July 2019 (Oracle)
from SecurityFocus Vulnerabilities https://ift.tt/2NWWKYx
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.