RedHat: RHSA-2019-0782:01 Important: rh-maven35-jackson-databind security
Summary
The jackson-databind package provides general data-binding functionality
for Jackson, which works on top of Jackson core streaming API.
Security Fix(es):
* jackson-databind: Potential information exfiltration with default typing,
serialization gadget from MyBatis (CVE-2018-11307)
* jackson-databind: improper polymorphic deserialization of types from
Jodd-db library (CVE-2018-12022)
* jackson-databind: improper polymorphic deserialization of types from
Oracle JDBC driver (CVE-2018-12023)
* jackson-databind: arbitrary code execution in slf4j-ext class
(CVE-2018-14718)
* jackson-databind: arbitrary code execution in blaze-ds-opt and
blaze-ds-core classes (CVE-2018-14719)
* jackson-databind: improper polymorphic deserialization in
axis2-transport-jms class (CVE-2018-19360)
* jackson-databind: improper polymorphic deserialization in openjpa class
(CVE-2018-19361)
* jackson-databind: improper polymorphic deserialization in
jboss-common-core class (CVE-2018-19362)
* jackson-databind: exfiltration/XXE in some JDK classes (CVE-2018-14720)
* jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class
(CVE-2018-14721)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Summary
Solution
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
References
https://access.redhat.com/security/cve/CVE-2018-11307 https://access.redhat.com/security/cve/CVE-2018-12022 https://access.redhat.com/security/cve/CVE-2018-12023 https://access.redhat.com/security/cve/CVE-2018-14718 https://access.redhat.com/security/cve/CVE-2018-14719 https://access.redhat.com/security/cve/CVE-2018-14720 https://access.redhat.com/security/cve/CVE-2018-14721 https://access.redhat.com/security/cve/CVE-2018-19360 https://access.redhat.com/security/cve/CVE-2018-19361 https://access.redhat.com/security/cve/CVE-2018-19362 https://access.redhat.com/security/updates/classification/#important
Package List
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):
Source:
rh-maven35-jackson-databind-2.7.6-2.5.el7.src.rpm
noarch:
rh-maven35-jackson-databind-2.7.6-2.5.el7.noarch.rpm
rh-maven35-jackson-databind-javadoc-2.7.6-2.5.el7.noarch.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):
Source:
rh-maven35-jackson-databind-2.7.6-2.5.el7.src.rpm
noarch:
rh-maven35-jackson-databind-2.7.6-2.5.el7.noarch.rpm
rh-maven35-jackson-databind-javadoc-2.7.6-2.5.el7.noarch.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4):
Source:
rh-maven35-jackson-databind-2.7.6-2.5.el7.src.rpm
noarch:
rh-maven35-jackson-databind-2.7.6-2.5.el7.noarch.rpm
rh-maven35-jackson-databind-javadoc-2.7.6-2.5.el7.noarch.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5):
Source:
rh-maven35-jackson-databind-2.7.6-2.5.el7.src.rpm
noarch:
rh-maven35-jackson-databind-2.7.6-2.5.el7.noarch.rpm
rh-maven35-jackson-databind-javadoc-2.7.6-2.5.el7.noarch.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6):
Source:
rh-maven35-jackson-databind-2.7.6-2.5.el7.src.rpm
noarch:
rh-maven35-jackson-databind-2.7.6-2.5.el7.noarch.rpm
rh-maven35-jackson-databind-javadoc-2.7.6-2.5.el7.noarch.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):
Source:
rh-maven35-jackson-databind-2.7.6-2.5.el7.src.rpm
noarch:
rh-maven35-jackson-databind-2.7.6-2.5.el7.noarch.rpm
rh-maven35-jackson-databind-javadoc-2.7.6-2.5.el7.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
Topic
An update for rh-maven35-jackson-databind is now available for Red HatSoftware Collections.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.
Topic
Relevant Releases Architectures
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4) - noarch
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5) - noarch
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6) - noarch
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch
Bugs Fixed
1666415 - CVE-2018-14718 jackson-databind: arbitrary code execution in slf4j-ext class
1666418 - CVE-2018-14719 jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes
1666423 - CVE-2018-14720 jackson-databind: exfiltration/XXE in some JDK classes
1666428 - CVE-2018-14721 jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class
1666482 - CVE-2018-19360 jackson-databind: improper polymorphic deserialization in axis2-transport-jms class
1666484 - CVE-2018-19361 jackson-databind: improper polymorphic deserialization in openjpa class
1666489 - CVE-2018-19362 jackson-databind: improper polymorphic deserialization in jboss-common-core class
1671096 - CVE-2018-12023 jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver
1671097 - CVE-2018-12022 jackson-databind: improper polymorphic deserialization of types from Jodd-db library
1677341 - CVE-2018-11307 jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis