Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1397
jackson-databind security update
26 April 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: jackson-databind
Publisher: Debian
Operating System: Debian GNU/Linux
Impact/Access: Modify Arbitrary Files -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-20190 CVE-2020-36189 CVE-2020-36188
CVE-2020-36187 CVE-2020-36186 CVE-2020-36185
CVE-2020-36184 CVE-2020-36183 CVE-2020-36182
CVE-2020-36181 CVE-2020-36180 CVE-2020-36179
CVE-2020-35728 CVE-2020-35491 CVE-2020-35490
CVE-2020-25649 CVE-2020-24750 CVE-2020-24616
Reference: ASB-2021.0066
ASB-2021.0014
ESB-2021.0334
Original Bulletin:
http://www.debian.org/lts/security/2021/dla-2638
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- - -----------------------------------------------------------------------
Debian LTS Advisory DLA-2638-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Utkarsh Gupta
April 25, 2021 https://wiki.debian.org/LTS
- - -----------------------------------------------------------------------
Package : jackson-databind
Version : 2.8.6-1+deb9u9
CVE ID : CVE-2020-24616 CVE-2020-24750 CVE-2020-35490
CVE-2020-35491 CVE-2020-35728 CVE-2020-36179
CVE-2020-36180 CVE-2020-36181 CVE-2020-36182
CVE-2020-36183 CVE-2020-36184 CVE-2020-36185
CVE-2020-36186 CVE-2020-36187 CVE-2020-36188
CVE-2020-36189 CVE-2021-20190
Multiple security vulnerabilities were found in Jackson Databind.
CVE-2020-24616
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the
interaction between serialization gadgets and typing, related
to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).
CVE-2020-24750
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the
interaction between serialization gadgets and typing, related
to com.pastdev.httpcomponents.configuration.JndiConfiguration.
CVE-2020-25649
A flaw was found in FasterXML Jackson Databind, where it did not
have entity expansion secured properly. This flaw allows
vulnerability to XML external entity (XXE) attacks. The highest
threat from this vulnerability is data integrity.
CVE-2020-35490
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the
interaction between serialization gadgets and typing, related
to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.
CVE-2020-35491
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the
interaction between serialization gadgets and typing, related
to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.
CVE-2020-35728
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the
interaction between serialization gadgets and typing, related to
com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool
(aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).
CVE-2020-36179
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the
interaction between serialization gadgets and typing, related
to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.
CVE-2020-36180
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the
interaction between serialization gadgets and typing, related
to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.
CVE-2020-36181
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the
interaction between serialization gadgets and typing, related
to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.
CVE-2020-36182
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the
interaction between serialization gadgets and typing, related
to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.
CVE-2020-36183
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the
interaction between serialization gadgets and typing, related
to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.
CVE-2020-36184
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the
interaction between serialization gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.
CVE-2020-36185
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the
interaction between serialization gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.
CVE-2020-36186
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the
interaction between serialization gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.
CVE-2020-36187
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the
interaction between serialization gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.
CVE-2020-36188
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the
interaction between serialization gadgets and typing, related to
com.newrelic.agent.deps.ch.qos.logback.core.db.JNDICS.
CVE-2020-36189
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the
interaction between serialization gadgets and typing, related to
com.newrelic.agent.deps.ch.qos.logback.core.db.DMCS.
CVE-2021-20190
A flaw was found in jackson-databind before 2.9.10.7. FasterXML
mishandles the interaction between serialization gadgets and
typing. The highest threat from this vulnerability is to data
confidentiality and integrity as well as system availability.
For Debian 9 stretch, these problems have been fixed in version
2.8.6-1+deb9u9.
We recommend that you upgrade your jackson-databind packages.
For the detailed security status of jackson-databind please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/jackson-databind
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmCEhEQACgkQgj6WdgbD
S5b0phAArpP2x7hIraTYxLJZNipQ+fLfO/psFKiJYMcajpEJ58KOm12m2wDYYDOx
PqWdE4xYDHC9A2voXAf2kOzEssJffYfquM7drKJx2Pi2PoHF0KK56l41buPxFGf5
yA/99egR6itnpmnDsQy1bhbfJS1C1PMJVFr+U0HygQmfWYzbf3YVGYsgz5W0ReJ8
ywSxCkDrEnRW19UL25DvIAb8lldtT3iV9RUGomV1e0Bpy/lQa3QLNfS/K1f61a3U
dsIa+ImqZnNH6zoagiJyFmoOkmpwoAp3QUhQ+fBu/9Lk1ImtpH1ResyDLlp538t6
VjDC0Ib9Nm9s4QOvaW9ut/0pHHVtyGuoZQKmwXSy7Y69mQA/P3fVgCugoIDRBMbE
EkJGyjHLYDPAQmrF9FsBVj+Di181Dv4ALlKUjbvvCZjyA9YGPHd8XpHqmrAW0b9s
ybBGAz0MhgZNlH+ZErLRWPHa+2d0jIp4yKTJPQRDHY+HDeG+q8/lFXYKnDFtLC18
bwXu1ExFGBW16bmdjIiaR7x2OcIBP/hXWSpga+O2Qs1ojfA2NIoM6BKpJw8ZIwtR
jCcgMNmPsc6V47J0zuY/yuBO8FgOq3rjScUpGs+wevaxKx/2hge2jogP8bnth8P6
GAgG7VlQ2VXbPzzHdskzqZqtmLqVZGURBD+qgT9DV1jVLRrnIo0=
=pfKI
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYIZbX+NLKJtyKPYoAQjtQg//eJ3VB+dde29l5RDo9nTQCAhK+JdNsVwi
QFGpXGjkvFeS+r/2gfKbNlK8rebANXaYQkl3K0e6IvBsPLrfMC/6bMGM3jWqnnuC
SWhAhGSqr5bzV2D73eGHpI/+eEXX9L9jYFxvAZpoR/T4/dN5uvWp6k7uMsuhhPWS
/sAhsriNsmdDnBQKXqGo6az5DX6OL0p+Ketqr7Xm9pG9Oai0Ulm7sq6Y7gG/5y5g
KAt/rH/HZ/8yUkWrlPTukpevdTBhrOVjt27We/OCOCjyLqR4hun2XvptUmtNhsU2
CHzAOyXFZdJrIfs6zVuI520w9EV62bAtLLjILh2HB+ZEzKr7C3DkI64eb2FWRNNL
RFgIoHMN4M4ffKQcwiJ6siaY8tO8mCfeAWE/O+YODqcUA7RGvXAt1np6VPirBGZk
Txd4pKarMYwi0bFbe1jfhMcnFSe9F84Xk2nGk6Kl4XpEr58YKH3shwztb7U4hKb9
A80XQFzm8W77idQyfZr9eYSt35bLIBK8AV0Jy8LVNTS/PTz9icI5I7xi1r5sBrvv
vTnJtCJiKxGStHqZSHbhBZH5D7v0as1qSY4jrteaMQJg7K09lbjCaptHGGNY7lO6
oHzZEoTzqrtl20s6Gfef8v1/9hFncx5mw2bt2DN/JAgAnAZCT9VlLJ+bEHCZXt7y
RLp9NtVXEgg=
=ynYc
-----END PGP SIGNATURE-----