Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.3722
jackson-databind security update
4 October 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: jackson-databind
Publisher: Debian
Operating System: Debian GNU/Linux 8
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-16943 CVE-2019-16942 CVE-2019-16335
CVE-2019-14540
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : jackson-databind
Version : 2.4.2-2+deb8u9
CVE ID : CVE-2019-14540 CVE-2019-16335 CVE-2019-16942
CVE-2019-16943
Debian Bug : 940498 941530
More deserialization flaws were discovered in jackson-databind
relating to the classes in com.zaxxer.hikari.HikariConfig,
com.zaxxer.hikari.HikariDataSource, commons-dbcp and
com.p6spy.engine.spy.P6DataSource, which could allow an
unauthenticated user to perform remote code execution. The issue was
resolved by extending the blacklist and blocking more classes from
polymorphic deserialization.
For Debian 8 "Jessie", these problems have been fixed in version
2.4.2-2+deb8u9.
We recommend that you upgrade your jackson-databind packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl2VKUpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeQVtA//W6ZHx4bRdGm9QLpcZziBwUScasGw+IZGoa6K8RGo33IZyciVTXeTsLRO
WZrS4wRu1Z5U84pOlP6XkXnarty4r1NtdtSRR82OOiXuY++rIYj8VNvPhtEljApT
udw9onmDk7KIvvY9yhXpqjtgU+mKHs41sKM2Y4T5QHOIk62oTZY0Jtzf/EtSWRO6
xmYB/UHOXcXnB8uypd/fkx8NsAngQzJiqmK2Ongx27lca+BaPWRSoVKZo0HYCu4M
PvzVvCiL8VlbiptvA3OCGJG2K0a/M51hUr4pwznnMtU0OVq1DS173KFtwzcDLk6a
zWkXQyRFrjL6FuEQ6volExhklRzk65Ghjf7XT7xzJYkcizb741yfznuDl6umyM2w
lUtA6DW1peXEtA8Y7Szg7mUlGxipdFx+L1MrIA9AJJWpkNnf2OG4v2Gzo/0bYgHu
hzbhwOaXPu8DKyiYlNV87zMkPdknfDjp8P2CmwLYhrDkKxfD5JNdjrTuTxM2uMqK
FCCHUHlUyxzY0gr7i0k9v94AURm33B5+7iyQ9nJ3sGwZNDL/CyhwoI3JtMuOvRVE
kZ2fmZQK33OVpbQUSadRdJ7t0ZIt7EgYPq/eg2L7b1lIWLYiapNfy41XOFX7KvWr
4QbEEZtWRtYor4e4WaJbKGn3R9qa1DvD4qH6h2ukTsovJZGE030=
=wObA
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXZZ3nWaOgq3Tt24GAQgPAw/9FTi+gr3QJ/+7kCX4VjBD3pJdUU/B2l5I
Wdfj9MTimTmLElfY7TAnWIvxUuugtsdYRDZG4D66EDltxjwWanvNsoYqCyaBwjQ+
CbwwjRZxImCP+7aDBY+yP/3sb1AyWsflWV7CDlz0w+kSEbnfEhfUXSouW1zsv1mJ
TpCm/x1dsKqhV5r++X9bCCOx7BvsOU2CJvhIgv4zEDv8cuwSSBBL+2ukO8DTQ/Hx
OqsdOAhgvXWAitwdrEkf5037ZrXWwSSkxVEYRI74wi9ubJFMTV8305v0YbSZujr1
UhZI0CaJFp3E6yRKj6f2Ul4tOitJfithQTYhfNwSD08EAbMM34rGwhzx+VJX1YBE
2KRIM4sTTkx2XjVSn8fcep845LyZ3wQ3QwCXw3zS6esxvPydr0tWMUupTeZpY7pM
+teJXno5RgJDbLzWNYl0mYJq3+QXwVIvSceZ02U6rF+PMnMLUvf0iigmrs4BZfHd
btYDJkuzy9CUPYzP+49YVwHtogsPeGavMKbuUc8OjgAhXrvf9lEFeIfm0e9zRQuH
0DeoWC59p2t7az6/VqGdSueEl0/ev5xniGIYQfsl4SjpeLXhsDZhG2enYNrDPCcW
PmRxyhZoNKrxIzU7C7aKPjpTvbFA2S7IHvPRhm58PgUfpuJQdCJ06CNZPsKIY5lb
Or1f3q7guUw=
=iSQz
-----END PGP SIGNATURE-----