Description
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
Remediation
References
https://github.com/FasterXML/jackson-databind/issues/1599
https://github.com/FasterXML/jackson-databind/issues/1723
https://bugzilla.redhat.com/show_bug.cgi?id=1462702
https://www.debian.org/security/2017/dsa-4004
https://security.netapp.com/advisory/ntap-20171214-0002/
https://access.redhat.com/errata/RHSA-2017:3458
https://access.redhat.com/errata/RHSA-2017:3456
https://access.redhat.com/errata/RHSA-2017:3455
https://access.redhat.com/errata/RHSA-2017:3454
https://access.redhat.com/errata/RHSA-2017:3141
https://access.redhat.com/errata/RHSA-2017:2638
https://access.redhat.com/errata/RHSA-2017:2637
https://access.redhat.com/errata/RHSA-2017:2636
https://access.redhat.com/errata/RHSA-2017:2635
https://access.redhat.com/errata/RHSA-2017:2633
https://access.redhat.com/errata/RHSA-2017:2547
https://access.redhat.com/errata/RHSA-2017:2546
https://access.redhat.com/errata/RHSA-2017:2477
https://access.redhat.com/errata/RHSA-2017:1840
https://access.redhat.com/errata/RHSA-2017:1839
https://access.redhat.com/errata/RHSA-2017:1837
https://access.redhat.com/errata/RHSA-2017:1836
https://access.redhat.com/errata/RHSA-2017:1835
https://access.redhat.com/errata/RHSA-2017:1834
http://www.securitytracker.com/id/1039947
http://www.securitytracker.com/id/1039744
http://www.securityfocus.com/bid/99623
https://cwiki.apache.org/confluence/display/WW/S2-055
https://access.redhat.com/errata/RHSA-2018:0294
http://www.securitytracker.com/id/1040360
https://access.redhat.com/errata/RHSA-2018:0342
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
https://access.redhat.com/errata/RHSA-2018:1450
https://access.redhat.com/errata/RHSA-2018:1449
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://access.redhat.com/errata/RHSA-2019:0910
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
https://access.redhat.com/errata/RHSA-2019:2858
https://access.redhat.com/errata/RHSA-2019:3149
https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html
https://lists.debian.org/debian-lts-announce/2020/08/msg00039.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E
https://lists.apache.org/thread.html/f60afd3c7e9ebaaf70fad4a4beb75cf8740ac959017a31e7006c7486%40%3Cdev.lucene.apache.org%3E
https://lists.apache.org/thread.html/3c87dc8bca99a2b3b4743713b33d1de05b1d6b761fdf316224e9c81f%40%3Cdev.lucene.apache.org%3E
https://lists.apache.org/thread.html/c2ed4c0126b43e324cf740012a0edd371fd36096fd777be7bfe7a2a6%40%3Cdev.lucene.apache.org%3E
https://lists.apache.org/thread.html/c10a2bf0fdc3d25faf17bd191d6ec46b29a353fa9c97bebd7c4e5913%40%3Cdev.lucene.apache.org%3E
https://lists.apache.org/thread.html/b1f33fe5ade396bb903fdcabe9f243f7692c7dfce5418d3743c2d346%40%3Cdev.lucene.apache.org%3E
https://lists.apache.org/thread.html/4641ed8616ccc2c1fbddac2c3dc9900c96387bc226eaf0232d61909b%40%3Ccommits.cassandra.apache.org%3E
https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/5008bcbd45ee65ce39e4220b6ac53d28a24d6bc67d5804e9773a7399%40%3Csolr-user.lucene.apache.org%3E
https://lists.apache.org/thread.html/c9d5ff20929e8a3c8794facf4c4b326a9c10618812eec356caa20b87%40%3Csolr-user.lucene.apache.org%3E
https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629%40%3Csolr-user.lucene.apache.org%3E
https://lists.apache.org/thread.html/r68acf97f4526ba59a33cc6e592261ea4f85d890f99e79c82d57dd589%40%3Cissues.spark.apache.org%3E
https://lists.apache.org/thread.html/rf7f87810c38dc9abf9f93989f76008f504cbf7c1a355214640b2d04c%40%3Ccommits.cassandra.apache.org%3E
https://lists.apache.org/thread.html/r42ac3e39e6265db12d9fc6ae1cd4b5fea7aed9830dc6f6d58228fed7%40%3Ccommits.cassandra.apache.org%3E
Related Vulnerabilities
CVE-2021-23364 Vulnerability in npm package browserslist
CVE-2019-16869 Vulnerability in maven package io.netty:netty
CVE-2022-25931 Vulnerability in npm package easy-static-server
CVE-2020-25633 Vulnerability in maven package org.jboss.resteasy:resteasy-client-microprofile
CVE-2021-22134 Vulnerability in maven package org.elasticsearch:elasticsearch