Operating System:

[UNIX/Linux][Debian]

Published:

20 April 2020

Protect yourself against future threats.

//Service

Phishing Take-Down

Drawing on our strong international CERT relationships we have a high success rate in delivering phishing take-downs.

Read more
Resources > Security Bulletins > ESB-2020.1368 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.1368
                     jackson-databind security update
                               20 April 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           FasterXML jackson-databind
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Reduced Security -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-11620 CVE-2020-11619 CVE-2020-11113
                   CVE-2020-11112 CVE-2020-11111 CVE-2020-10969
                   CVE-2020-10968  

Original Bulletin: 
   https://www.debian.org/lts/security/2020/dla-2179

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running FasterXML jackson-databind check for an updated version of 
         the software for their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : jackson-databind
Version        : 2.4.2-2+deb8u14
CVE ID         : CVE-2020-10968 CVE-2020-10969 CVE-2020-11111
                 CVE-2020-11112 CVE-2020-11113 CVE-2020-11619
                 CVE-2020-11620


Following CVEs were reported against the jackson-databind source package
:

CVE-2020-10968

    FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the
    interaction between serialization gadgets and typing, related
    to org.aoju.bus.proxy.provider.remoting.RmiProvider
    (aka bus-proxy).

CVE-2020-10969

    FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the
    interaction between serialization gadgets and typing, related
    to javax.swing.JEditorPane.

CVE-2020-11111

    FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the
    interaction between serialization gadgets and typing, related
    to org.apache.activemq.* (aka activemq-jms, activemq-core,
    activemq-pool, and activemq-pool-jms).

CVE-2020-11112

    FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the
    interaction between serialization gadgets and typing, related
    to org.apache.commons.proxy.provider.remoting.RmiProvider
    (aka apache/commons-proxy).

CVE-2020-11113

    FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the
    interaction between serialization gadgets and typing, related
    to org.apache.openjpa.ee.WASRegistryManagedRuntime
    (aka openjpa).

CVE-2020-11619

    FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the
    interaction between serialization gadgets and typing, related
    to org.springframework.aop.config.MethodLocatingFactoryBean
    (aka spring-aop).

CVE-2020-11620

    FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the
    interaction between serialization gadgets and typing, related
    to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).

For Debian 8 "Jessie", these problems have been fixed in version
2.4.2-2+deb8u14.

We recommend that you upgrade your jackson-databind packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Best,
Utkarsh
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl6aQQwACgkQgj6WdgbD
S5Y7kBAAvmbmDnwXRoKyWxdY5wSB2gvTT/kaSeTT/EcnAiLHdlLj1XSgb9TqanXa
fTWVsQivLNz3Pn4tY5qcniJRnabnhRbRxgHeF30L9cXecX6mnuloikUGllMcSiko
6S22Qgir0eJMdF/x2AqW1csb4z3MWylwOGmiqERT0VbIiF3Fhann2H3gnhZLj4Yc
qmXv/mnSxrUldgchHCNbTg44iVnO+gz/R3HzTswzc24IaPCKBpIO14N5Jn5ew34q
pp+2ZsuFmfCBvTcgbK0BS6mPrqrqKX1t+Y1vJXP/RUH0A5rD10PEEkrxbrpXJ0F+
MIpu1+DEVVHn6F5fFsjrdfdIZe9ce21ooyKhUyfLdrrbcuM98gvOCDc6bN+CrJVn
x2fQLRpOysCuDALqokSmD5+LmeSIVUJKIiCL78dbRkxHrsCnOHP3GOE8RXLPLf+W
V8WDMwLmrohdN1PMFmTIVGrmb5Qo5fqZzywOr3MuDdxC4G66PzrAqhKbieBB/d8K
pqB2V6r9lC4MX1xEu8Fgg6UTdLqLAKesjyAONX5W+oYlafLp0GjmeyqBEgmdT/oW
I9MsuH/oG0WY6GoaciUVzNKowa1AePsg+C3nz7zPdtT1b9uwr/dXy4KBW6hE3IKz
7Z6NzIabMf1HQkr2FJ2NDQaCWvg1KUX2xadhRlN84HYbVPMHqX0=
=a84X
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXpz8jmaOgq3Tt24GAQgLvA/+LrtS4r6Ue8BlekBEzbRe2PAduBrpXq1a
0m1uRDK5qpYz0/YY0S9XloXUqxiqZp5OfOrsHIjjaOg4+KxbjcJBFfawL5qM5s1G
MODx738HpI8I0gFFh/crG8XIvuum4KFQKQy4yJZd8buV4ZqG+pPkzMC7KA9OHo12
OH+MbzzOi9PLuYzQnbx7SqzBM9/HhIOrfNWLzRwe7FKEpcf3hkqDfA0tLPu4xB/X
z3C0CY94mcO4iCMJIdH2eo0ImltF6fCKSjfbffJIGOrLij2EjDixpB4js8xc2oi2
ILkefibvGTWId4dlSiiQPoLIJd8+3lv3F+WmifHvTYxWL1LTTAOanSs23V9jBpo2
hLuCbZprJP9HFoqJDqpMD8TWQ7teaYLU7PS+C3cuM0rBRhoPeJdwRXxYNVKjoULD
1WiDfsAeV6+7IGB7H41X55gL9wkJ36rl5nUHQtlb31Esix3/GGhz7N6OuHxMq6gm
f7+JO94IXxvMq/m5s3ZlbxZOh+liZH1lwTKOhChfTu/5JrWyvNyqjaA6+6eIkwYa
f7NxeK07zgIv5ZCYjuSlWZfQCZITczSJO9zurK8AWmwssYE3B12PLqUxW9nsJQkM
2JW+7W+WbMJY+XIAS8KKYftPlKuPJzaA6vmBWxDis4J3br92QklVVzkTkiZ8xUqT
IRf15FwuZuo=
=tUrw
-----END PGP SIGNATURE-----