Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.2280
jackson-databind security update
2 July 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: jackson-databind
Publisher: Debian
Operating System: Debian GNU/Linux 8
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-14195 CVE-2020-14062 CVE-2020-14061
CVE-2020-14060
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Package : jackson-databind
Version : 2.4.2-2+deb8u15
CVE ID : CVE-2020-14060 CVE-2020-14061 CVE-2020-14062
CVE-2020-14195
There were several CVE(s) reported against src:jackson-databind,
which are as follows:
CVE-2020-14060
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the
interaction between serialization gadgets and typing, related
to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool
(aka apache/drill).
CVE-2020-14061
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the
interaction between serialization gadgets and typing, related
to oracle.jms.AQjmsQueueConnectionFactory,
oracle.jms.AQjmsXATopicConnectionFactory,
oracle.jms.AQjmsTopicConnectionFactory,
oracle.jms.AQjmsXAQueueConnectionFactory, and
oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).
CVE-2020-14062
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the
interaction between serialization gadgets and typing, related
to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool
(aka xalan2).
CVE-2020-14195
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the
interaction between serialization gadgets and typing, related
to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).
For Debian 8 "Jessie", these problems have been fixed in version
2.4.2-2+deb8u15.
We recommend that you upgrade your jackson-databind packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl78gX4ACgkQgj6WdgbD
S5YhORAAq6gCqbqsEZ/IS5TaXakuq0UVo4aqOs4I+QCH5izQEFadxLqDtQQGThyI
zhZiTMxyfkW0guWAcrEJHgoMVXIrD5/cM4dh2bB/PPS5bdg8iDvCj4hkDh4ruRL2
393u6ybsLdS1mnX6iY69SxUuYUEy/DQHbOLFeUXgXve9oRwqwEPtmtJGkdwIsnkg
CUeHQvKkpvhzk7Kh3yXL5QaE4vwuRBGdXl2AcXT6SkYrNq8kSd58M2fYN5t5KMxy
QX+oawvJ9eCedeOMgqXvX2cohI4XoCjnnN8IWV9O4spvUae29Qyedm4nyBLOdZho
sNi4kSxPE8A9k9DTl6jS9qD5MqssBwmMgQUfq4oym7zVOyIxFwZfcV7dNwDjTIiC
lOe0tmeQPUEq0h4z8nCxP85jI03y/nrS7SIGYFljYMtZq+UmuCCk6hl92kyV7BMX
9r1wwbaatJV1lzpHOYFqpuIPbaN8l8vp2f+kVrQxCq5HafKOlI+O8l0Yy6P5C1mz
9stB5i0dpD7RJ/EPNA4iLegr/T1+crJiLMMBDy6u7o/TWeHnIbezkamwFS7EYfTg
HSkonNvnPaJxkDjZ3F6/GBY0Dv/kjm/dckZCY9Hm5vg9as02bswa6/UBMTCKnG0G
2++Eb+b3R+7uAGXDK56wCSIUQclJKFIr/98+GsoSAxuttugEqRQ=
=b5jY
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXv1XAuNLKJtyKPYoAQjIDg/+PyTPiZEUW0IfAMfeBC48CngO76I3l75t
BJMAoZN1pytyscDxPNf6pOY1Pby2XhAzjyuOYCIWx2ePo67jpKwYT7B7kVOKMlI/
R8xMkUHlDPCbHUBj4XVLS0U0Zn+lX+IQcsPPmywVpsCHzdIL21AG8d4bpkTD4Pjf
cBTUZh1R8h+KQ+VHmD1tDf0ByR+tuwuNiC8RIFJPteH218b6nwPD7D4ffUhv4Vym
44Z25CpUKUEJhI7R3bp/975hTLJcdw940pCdk0GZpZ51jZPn12KQAYmY/mjXtoDD
xzNBTysQLK4pzc4exSiN4s9Y9t8+1fl6mFN32IxB8PAhQD8kP0eMroG1bCM8WTDg
HncMQ5TSjKNYD7CbAbFkd7FLpZ3jpJnLdQ7EeMXupryMtL7Xz9AHxeIGM+/RPDfp
Dy63/eDViH/tBfRHsdMjDDuqmEN6CzbjSiHlrVe24y8YJR9c8Pjow+uz8Oi1UpX0
xDEMK7qgytNCctQnZdQfPypwu9N0KDv15yOHe9HzV7zhCGQ+AzPll5qPBWmZvxog
6Ej1u5r/1Bbue46xnJr93qrFXdkfb+VFrl10Jh4necPxki68HI6z5XobAn9FApt9
JEfW/OG4xbdUt1BaI14h80QaVsdrA0i0uu6BEEQWLSrlNqOOIFSP1Pz8WpnYYIJ7
e6aaotdJ2ug=
=eO4S
-----END PGP SIGNATURE-----