Bug 13867

Summary: [CVE 21] jackson-databind 2.9.9.3 CVEs found
Product: [ROSA-based products] ROSA Fresh Reporter: Yury <y.tumanov>
Component: System (kernel, glibc, systemd, bash, PAM...)Assignee: ROSA Linux Bugs <bugs>
Status: VERIFIED FIXED QA Contact: ROSA Linux Bugs <bugs>
Severity: blocker    
Priority: Highest CC: a.proklov, e.kosachev, pastordidi, s.matveev, v.potapov, y.tumanov
Version: AllFlags: v.potapov: qa_verified+
y.tumanov: secteam_verified?
a.proklov: published+
Target Milestone: 2021.1 Fresh R12   
Hardware: All   
OS: Linux   
URL: CVE-2019-14540, CVE-2019-14892, CVE-2019-14893, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943, CVE-2019-17267, CVE-2019-17531, CVE-2019-20330, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-14060, CVE-2020-14061, CVE-2020-14062, CVE-2020-14195, CVE-2020-24616, CVE-2020-24750, CVE-2020-25649, CVE-2020-35490, CVE-2020-35491, CVE-2020-35728, CVE-2020-36179, CVE-2020-36180, CVE-2020-36181, CVE-2020-36182, CVE-2020-36183, CVE-2020-36184, CVE-2020-36185, CVE-2020-36186, CVE-2020-36187, CVE-2020-36188, CVE-2020-36189, CVE-2020-36518, CVE-2020-8840, CVE-2020-9546, CVE-2020-9547, CVE-2020-9548, CVE-2021-20190, CVE-2022-42003, CVE-2022-42004,
Whiteboard:
Platform: 2021.1 ROSA Vulnerability identifier:
RPM Package: ISO-related:
Bad POT generating: Upstream:

Description Yury 2023-10-18 20:26:51 MSK 
Please patch CVEs for package jackson-databind version 2.9.9.3
  
INFO (CVEs are): jackson-databind 2.9.9.3
 cves found
CVE-2019-14540
Desc: A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
Link: https://nvd.nist.gov/vuln/detail/CVE-2019-14540
Severity: CRITICAL
CVE-2019-14892
Desc: A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.
Link: https://nvd.nist.gov/vuln/detail/CVE-2019-14892
Severity: CRITICAL
CVE-2019-14893
Desc: A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
Link: https://nvd.nist.gov/vuln/detail/CVE-2019-14893
Severity: CRITICAL
CVE-2019-16335
Desc: A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
Link: https://nvd.nist.gov/vuln/detail/CVE-2019-16335
Severity: CRITICAL
CVE-2019-16942
Desc: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
Link: https://nvd.nist.gov/vuln/detail/CVE-2019-16942
Severity: CRITICAL
CVE-2019-16943
Desc: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.
Link: https://nvd.nist.gov/vuln/detail/CVE-2019-16943
Severity: CRITICAL
CVE-2019-17267
Desc: A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.
Link: https://nvd.nist.gov/vuln/detail/CVE-2019-17267
Severity: CRITICAL
CVE-2019-17531
Desc: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.
Link: https://nvd.nist.gov/vuln/detail/CVE-2019-17531
Severity: CRITICAL
CVE-2019-20330
Desc: FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.
Link: https://nvd.nist.gov/vuln/detail/CVE-2019-20330
Severity: CRITICAL
CVE-2020-10672
Desc: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-10672
Severity: HIGH
CVE-2020-10673
Desc: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-10673
Severity: HIGH
CVE-2020-10968
Desc: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-10968
Severity: HIGH
CVE-2020-10969
Desc: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-10969
Severity: HIGH
CVE-2020-11111
Desc: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-11111
Severity: HIGH
CVE-2020-11112
Desc: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-11112
Severity: HIGH
CVE-2020-11113
Desc: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-11113
Severity: HIGH
CVE-2020-11619
Desc: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-11619
Severity: HIGH
CVE-2020-11620
Desc: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-11620
Severity: HIGH
CVE-2020-14060
Desc: FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-14060
Severity: HIGH
CVE-2020-14061
Desc: FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-14061
Severity: HIGH
CVE-2020-14062
Desc: FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-14062
Severity: HIGH
CVE-2020-14195
Desc: FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-14195
Severity: HIGH
CVE-2020-24616
Desc: FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-24616
Severity: HIGH
CVE-2020-24750
Desc: FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-24750
Severity: HIGH
CVE-2020-25649
Desc: A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-25649
Severity: HIGH
CVE-2020-35490
Desc: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-35490
Severity: HIGH
CVE-2020-35491
Desc: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-35491
Severity: HIGH
CVE-2020-35728
Desc: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-35728
Severity: HIGH
CVE-2020-36179
Desc: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-36179
Severity: HIGH
CVE-2020-36180
Desc: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-36180
Severity: HIGH
CVE-2020-36181
Desc: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-36181
Severity: HIGH
CVE-2020-36182
Desc: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-36182
Severity: HIGH
CVE-2020-36183
Desc: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-36183
Severity: HIGH
CVE-2020-36184
Desc: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-36184
Severity: HIGH
CVE-2020-36185
Desc: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-36185
Severity: HIGH
CVE-2020-36186
Desc: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-36186
Severity: HIGH
CVE-2020-36187
Desc: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-36187
Severity: HIGH
CVE-2020-36188
Desc: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-36188
Severity: HIGH
CVE-2020-36189
Desc: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-36189
Severity: HIGH
CVE-2020-36518
Desc: jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-36518
Severity: HIGH
CVE-2020-8840
Desc: FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-8840
Severity: CRITICAL
CVE-2020-9546
Desc: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-9546
Severity: CRITICAL
CVE-2020-9547
Desc: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-9547
Severity: CRITICAL
CVE-2020-9548
Desc: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-9548
Severity: CRITICAL
CVE-2021-20190
Desc: A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-20190
Severity: HIGH
CVE-2022-42003
Desc: In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-42003
Severity: HIGH
CVE-2022-42004
Desc: In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-42004
Severity: HIGH
Comment 1 Vladimir Potapov 2023-10-20 17:00:10 MSK 
*** Bug 13735 has been marked as a duplicate of this bug. ***
Comment 2 Svyatoslav Matveev 2023-12-12 02:36:07 MSK 
********** QA ADVISORY **********

Минорное обновление до 2.9.10.8 которое закрывает
большую часть уязвимостей,
с наложение патчей уже на обновленную версию
CVE-2020-36518
CVE-2022-42003
CVE-2022-42004

*** jackson-databind
**  2.9.9.3 .. 2.9.10.8

https://abf.io/build_lists/4885455
https://abf.io/build_lists/4885456
Comment 3 Dmitry Postnikov 2023-12-13 14:44:23 MSK 
*****************************
Обновление отослано в Тестинг
Comment 4 Vladimir Potapov 2023-12-13 18:15:25 MSK 
jackson-databind-2.9.10.8-1
https://abf.io/build_lists/4885455
https://abf.io/build_lists/4885456
************************** Advisory ****************************
CVEs closed by minor update and patches
****************************************************************
QA Verified