Description

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

Remediation

References

https://github.com/FasterXML/jackson-databind/issues/1599

https://github.com/FasterXML/jackson-databind/issues/1723

https://bugzilla.redhat.com/show_bug.cgi?id=1462702

https://www.debian.org/security/2017/dsa-4004

https://security.netapp.com/advisory/ntap-20171214-0002/

https://access.redhat.com/errata/RHSA-2017:3458

https://access.redhat.com/errata/RHSA-2017:3456

https://access.redhat.com/errata/RHSA-2017:3455

https://access.redhat.com/errata/RHSA-2017:3454

https://access.redhat.com/errata/RHSA-2017:3141

https://access.redhat.com/errata/RHSA-2017:2638

https://access.redhat.com/errata/RHSA-2017:2637

https://access.redhat.com/errata/RHSA-2017:2636

https://access.redhat.com/errata/RHSA-2017:2635

https://access.redhat.com/errata/RHSA-2017:2633

https://access.redhat.com/errata/RHSA-2017:2547

https://access.redhat.com/errata/RHSA-2017:2546

https://access.redhat.com/errata/RHSA-2017:2477

https://access.redhat.com/errata/RHSA-2017:1840

https://access.redhat.com/errata/RHSA-2017:1839

https://access.redhat.com/errata/RHSA-2017:1837

https://access.redhat.com/errata/RHSA-2017:1836

https://access.redhat.com/errata/RHSA-2017:1835

https://access.redhat.com/errata/RHSA-2017:1834

http://www.securitytracker.com/id/1039947

http://www.securitytracker.com/id/1039744

http://www.securityfocus.com/bid/99623

https://cwiki.apache.org/confluence/display/WW/S2-055

https://access.redhat.com/errata/RHSA-2018:0294

http://www.securitytracker.com/id/1040360

https://access.redhat.com/errata/RHSA-2018:0342

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

https://access.redhat.com/errata/RHSA-2018:1450

https://access.redhat.com/errata/RHSA-2018:1449

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

https://access.redhat.com/errata/RHSA-2019:0910

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

https://access.redhat.com/errata/RHSA-2019:2858

https://access.redhat.com/errata/RHSA-2019:3149

https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html

https://lists.debian.org/debian-lts-announce/2020/08/msg00039.html

https://www.oracle.com/security-alerts/cpuoct2020.html

https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E

https://lists.apache.org/thread.html/f60afd3c7e9ebaaf70fad4a4beb75cf8740ac959017a31e7006c7486%40%3Cdev.lucene.apache.org%3E

https://lists.apache.org/thread.html/3c87dc8bca99a2b3b4743713b33d1de05b1d6b761fdf316224e9c81f%40%3Cdev.lucene.apache.org%3E

https://lists.apache.org/thread.html/c2ed4c0126b43e324cf740012a0edd371fd36096fd777be7bfe7a2a6%40%3Cdev.lucene.apache.org%3E

https://lists.apache.org/thread.html/c10a2bf0fdc3d25faf17bd191d6ec46b29a353fa9c97bebd7c4e5913%40%3Cdev.lucene.apache.org%3E

https://lists.apache.org/thread.html/b1f33fe5ade396bb903fdcabe9f243f7692c7dfce5418d3743c2d346%40%3Cdev.lucene.apache.org%3E

https://lists.apache.org/thread.html/4641ed8616ccc2c1fbddac2c3dc9900c96387bc226eaf0232d61909b%40%3Ccommits.cassandra.apache.org%3E

https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E

https://lists.apache.org/thread.html/5008bcbd45ee65ce39e4220b6ac53d28a24d6bc67d5804e9773a7399%40%3Csolr-user.lucene.apache.org%3E

https://lists.apache.org/thread.html/c9d5ff20929e8a3c8794facf4c4b326a9c10618812eec356caa20b87%40%3Csolr-user.lucene.apache.org%3E

https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629%40%3Csolr-user.lucene.apache.org%3E

https://lists.apache.org/thread.html/r68acf97f4526ba59a33cc6e592261ea4f85d890f99e79c82d57dd589%40%3Cissues.spark.apache.org%3E

https://lists.apache.org/thread.html/rf7f87810c38dc9abf9f93989f76008f504cbf7c1a355214640b2d04c%40%3Ccommits.cassandra.apache.org%3E

https://lists.apache.org/thread.html/r42ac3e39e6265db12d9fc6ae1cd4b5fea7aed9830dc6f6d58228fed7%40%3Ccommits.cassandra.apache.org%3E

Related Vulnerabilities

CVE-2023-35159 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-templates

CVE-2022-28220 Vulnerability in maven package org.apache.james.protocols:protocols-netty

CVE-2020-28865 Vulnerability in maven package com.github.kfcfans:powerjob

CVE-2020-17519 Vulnerability in maven package org.apache.flink:flink-runtime_2.11

CVE-2023-45138 Vulnerability in maven package org.xwiki.contrib.changerequest:application-changerequest-ui

Severity

Critical

Classification

CWE-184 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Issue Tracking Patch Third Party Advisory VDB Entry Mailing List