Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.1397 jackson-databind security update 26 April 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: jackson-databind Publisher: Debian Operating System: Debian GNU/Linux Impact/Access: Modify Arbitrary Files -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-20190 CVE-2020-36189 CVE-2020-36188 CVE-2020-36187 CVE-2020-36186 CVE-2020-36185 CVE-2020-36184 CVE-2020-36183 CVE-2020-36182 CVE-2020-36181 CVE-2020-36180 CVE-2020-36179 CVE-2020-35728 CVE-2020-35491 CVE-2020-35490 CVE-2020-25649 CVE-2020-24750 CVE-2020-24616 Reference: ASB-2021.0066 ASB-2021.0014 ESB-2021.0334 Original Bulletin: http://www.debian.org/lts/security/2021/dla-2638 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - - ----------------------------------------------------------------------- Debian LTS Advisory DLA-2638-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Utkarsh Gupta April 25, 2021 https://wiki.debian.org/LTS - - ----------------------------------------------------------------------- Package : jackson-databind Version : 2.8.6-1+deb9u9 CVE ID : CVE-2020-24616 CVE-2020-24750 CVE-2020-35490 CVE-2020-35491 CVE-2020-35728 CVE-2020-36179 CVE-2020-36180 CVE-2020-36181 CVE-2020-36182 CVE-2020-36183 CVE-2020-36184 CVE-2020-36185 CVE-2020-36186 CVE-2020-36187 CVE-2020-36188 CVE-2020-36189 CVE-2021-20190 Multiple security vulnerabilities were found in Jackson Databind. CVE-2020-24616 FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP). CVE-2020-24750 FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration. CVE-2020-25649 A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity. CVE-2020-35490 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource. CVE-2020-35491 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource. CVE-2020-35728 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl). CVE-2020-36179 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS. CVE-2020-36180 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS. CVE-2020-36181 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS. CVE-2020-36182 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS. CVE-2020-36183 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool. CVE-2020-36184 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource. CVE-2020-36185 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource. CVE-2020-36186 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource. CVE-2020-36187 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource. CVE-2020-36188 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDICS. CVE-2020-36189 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DMCS. CVE-2021-20190 A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. For Debian 9 stretch, these problems have been fixed in version 2.8.6-1+deb9u9. We recommend that you upgrade your jackson-databind packages. For the detailed security status of jackson-databind please refer to its security tracker page at: https://security-tracker.debian.org/tracker/jackson-databind Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmCEhEQACgkQgj6WdgbD S5b0phAArpP2x7hIraTYxLJZNipQ+fLfO/psFKiJYMcajpEJ58KOm12m2wDYYDOx PqWdE4xYDHC9A2voXAf2kOzEssJffYfquM7drKJx2Pi2PoHF0KK56l41buPxFGf5 yA/99egR6itnpmnDsQy1bhbfJS1C1PMJVFr+U0HygQmfWYzbf3YVGYsgz5W0ReJ8 ywSxCkDrEnRW19UL25DvIAb8lldtT3iV9RUGomV1e0Bpy/lQa3QLNfS/K1f61a3U dsIa+ImqZnNH6zoagiJyFmoOkmpwoAp3QUhQ+fBu/9Lk1ImtpH1ResyDLlp538t6 VjDC0Ib9Nm9s4QOvaW9ut/0pHHVtyGuoZQKmwXSy7Y69mQA/P3fVgCugoIDRBMbE EkJGyjHLYDPAQmrF9FsBVj+Di181Dv4ALlKUjbvvCZjyA9YGPHd8XpHqmrAW0b9s ybBGAz0MhgZNlH+ZErLRWPHa+2d0jIp4yKTJPQRDHY+HDeG+q8/lFXYKnDFtLC18 bwXu1ExFGBW16bmdjIiaR7x2OcIBP/hXWSpga+O2Qs1ojfA2NIoM6BKpJw8ZIwtR jCcgMNmPsc6V47J0zuY/yuBO8FgOq3rjScUpGs+wevaxKx/2hge2jogP8bnth8P6 GAgG7VlQ2VXbPzzHdskzqZqtmLqVZGURBD+qgT9DV1jVLRrnIo0= =pfKI - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYIZbX+NLKJtyKPYoAQjtQg//eJ3VB+dde29l5RDo9nTQCAhK+JdNsVwi QFGpXGjkvFeS+r/2gfKbNlK8rebANXaYQkl3K0e6IvBsPLrfMC/6bMGM3jWqnnuC SWhAhGSqr5bzV2D73eGHpI/+eEXX9L9jYFxvAZpoR/T4/dN5uvWp6k7uMsuhhPWS /sAhsriNsmdDnBQKXqGo6az5DX6OL0p+Ketqr7Xm9pG9Oai0Ulm7sq6Y7gG/5y5g KAt/rH/HZ/8yUkWrlPTukpevdTBhrOVjt27We/OCOCjyLqR4hun2XvptUmtNhsU2 CHzAOyXFZdJrIfs6zVuI520w9EV62bAtLLjILh2HB+ZEzKr7C3DkI64eb2FWRNNL RFgIoHMN4M4ffKQcwiJ6siaY8tO8mCfeAWE/O+YODqcUA7RGvXAt1np6VPirBGZk Txd4pKarMYwi0bFbe1jfhMcnFSe9F84Xk2nGk6Kl4XpEr58YKH3shwztb7U4hKb9 A80XQFzm8W77idQyfZr9eYSt35bLIBK8AV0Jy8LVNTS/PTz9icI5I7xi1r5sBrvv vTnJtCJiKxGStHqZSHbhBZH5D7v0as1qSY4jrteaMQJg7K09lbjCaptHGGNY7lO6 oHzZEoTzqrtl20s6Gfef8v1/9hFncx5mw2bt2DN/JAgAnAZCT9VlLJ+bEHCZXt7y RLp9NtVXEgg= =ynYc -----END PGP SIGNATURE-----