Multiple vulnerabilities in FasterXML jackson-databind



Published: 2018-12-15
Risk High
Patch available YES
Number of vulnerabilities 6
CVE-ID CVE-2018-14721
CVE-2018-14720
CVE-2018-14719
CVE-2018-19361
CVE-2018-19360
CVE-2018-19362
CWE-ID CWE-918
CWE-611
CWE-20
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
jackson-databind
Universal components / Libraries / Libraries used by multiple products

Vendor FasterXML

Security Bulletin

This security bulletin contains information about 6 vulnerabilities.

1) Server-Side Request Forgery (SSRF)

EUVDB-ID: #VU17776

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2018-14721

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to fail to block the axis2-jaxws class from polymorphic deserialization. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.

Mitigation

Update to version 2.9.7.

Vulnerable software versions

jackson-databind: 2.9.0 - 2.9.6


CPE2.3 External links

http://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44
http://github.com/FasterXML/jackson-databind/issues/2097
http://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) XXE attack

EUVDB-ID: #VU17777

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2018-14720

CWE-ID: CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform XXE attacks.

The vulnerability exists due to fail to block unspecified Java Development Kit (JDK) classes from polymorphic deserialization. A remote attacker can send a specially crafted request that submits malicious input, conduct an XXE attack to access sensitive information, bypass security restrictions, or cause a denial of service (DoS) condition on the targeted system. 

Mitigation

Update to version 2.9.7.

Vulnerable software versions

jackson-databind: 2.9.0 - 2.9.6


CPE2.3 External links

http://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44
http://github.com/FasterXML/jackson-databind/issues/2097
http://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7
http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Input validation error

EUVDB-ID: #VU17778

Risk: High

CVSSv3.1:

CVE-ID: CVE-2018-14719

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to fail to block blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization. A remote attacker can send a specially crafted request that submits malicious input to execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Update to version 2.9.7.

Vulnerable software versions

jackson-databind: 2.9.0 - 2.9.6


CPE2.3 External links

http://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44
http://github.com/FasterXML/jackson-databind/issues/2097
http://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7
http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

4) Input validation error

EUVDB-ID: #VU17779

Risk: High

CVSSv3.1:

CVE-ID: CVE-2018-19361

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code.

The vulnerability exists due to fail to block the openjpa class from polymorphic deserialization. A remote attacker can send a specially crafted request that submits malicious input to perform unauthorized actions on the system, which could allow the attacker to execute arbitrary code or cause a denial of service (DoS) condition.

Mitigation

Update to version 2.9.8.

Vulnerable software versions

jackson-databind: 2.9.0 - 2.9.7


CPE2.3 External links

http://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b
http://github.com/FasterXML/jackson-databind/issues/2186
http://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8
http://issues.apache.org/jira/browse/TINKERPOP-2121

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

5) Input validation error

EUVDB-ID: #VU17780

Risk: High

CVSSv3.1:

CVE-ID: CVE-2018-19360

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code.

The vulnerability exists due to fail to block the axis2-transport-jmsclass from polymorphic deserialization. A remote attacker can send a specially crafted request that submits malicious input to perform unauthorized actions on the system, which could allow the attacker to execute arbitrary code or cause a denial of service (DoS) condition.

Mitigation

Update to version 2.9.8.

Vulnerable software versions

jackson-databind: 2.9.0 - 2.9.7


CPE2.3 External links

http://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b
http://github.com/FasterXML/jackson-databind/issues/2186
http://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8
http://issues.apache.org/jira/browse/TINKERPOP-2121

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

6) Input validation error

EUVDB-ID: #VU17781

Risk: High

CVSSv3.1:

CVE-ID: CVE-2018-19362

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code.

The vulnerability exists due to fail to block the jboss-common-coreclass from polymorphic deserialization. A remote attacker can send a specially crafted request that submits malicious input to perform unauthorized actions on the system, which could allow the attacker to execute arbitrary code or cause a denial of service (DoS) condition.

Mitigation

Update to version 2.9.8.

Vulnerable software versions

jackson-databind: 2.9.0 - 2.9.7


CPE2.3 External links

http://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b
http://github.com/FasterXML/jackson-databind/issues/2186
http://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8
http://issues.apache.org/jira/browse/TINKERPOP-2121

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###