Multiple vulnerabilities in z/Transaction Processing Facility



Risk High
Patch available YES
Number of vulnerabilities 67
CVE-ID CVE-2021-20190
CVE-2019-16942
CVE-2020-36188
CVE-2020-11619
CVE-2020-14195
CVE-2020-10672
CVE-2018-14719
CVE-2018-19360
CVE-2018-14721
CVE-2020-36186
CVE-2020-36181
CVE-2017-7525
CVE-2018-19362
CVE-2020-36184
CVE-2019-17531
CVE-2019-14439
CVE-2020-10968
CVE-2020-36185
CVE-2017-17485
CVE-2019-12406
CVE-2017-12624
CVE-2016-3720
CVE-2018-8088
CVE-2019-14379
CVE-2020-14061
CVE-2020-24616
CVE-2018-12023
CVE-2019-14892
CVE-2020-11113
CVE-2019-20330
CVE-2019-14893
CVE-2020-11111
CVE-2020-36189
CVE-2020-8840
CVE-2019-14540
CVE-2018-19361
CVE-2018-14718
CVE-2020-36182
CVE-2019-10202
CVE-2019-12384
CVE-2020-36180
CVE-2018-14720
CVE-2020-36187
CVE-2018-7489
CVE-2020-11620
CVE-2017-15095
CVE-2019-16943
CVE-2018-5968
CVE-2019-12086
CVE-2020-10673
CVE-2019-12814
CVE-2020-36183
CVE-2020-9547
CVE-2020-25649
CVE-2020-36518
CVE-2020-24750
CVE-2020-36179
CVE-2020-9548
CVE-2020-14062
CVE-2020-14060
CVE-2018-12022
CVE-2020-9546
CVE-2020-11112
CVE-2019-17267
CVE-2018-11307
CVE-2019-16335
CVE-2020-10969
CWE-ID CWE-502
CWE-20
CWE-918
CWE-200
CWE-399
CWE-19
CWE-611
CWE-284
CWE-264
CWE-94
CWE-787
Exploitation vector Network
Public exploit Public exploit code for vulnerability #3 is available.
Public exploit code for vulnerability #5 is available.
Public exploit code for vulnerability #12 is available.
Public exploit code for vulnerability #14 is available.
Public exploit code for vulnerability #19 is available.
Public exploit code for vulnerability #26 is available.
Public exploit code for vulnerability #29 is available.
Public exploit code for vulnerability #34 is available.
Public exploit code for vulnerability #35 is available.
Public exploit code for vulnerability #41 is available.
Public exploit code for vulnerability #49 is available.
Public exploit code for vulnerability #50 is available.
Public exploit code for vulnerability #53 is available.
Public exploit code for vulnerability #56 is available.
Public exploit code for vulnerability #58 is available.
Vulnerable software
z/Transaction Processing Facility ( z/TPF)
Server applications / Other server solutions

Vendor IBM Corporation

Security Bulletin

This security bulletin contains information about 67 vulnerabilities.

1) Deserialization of Untrusted Data

EUVDB-ID: #VU49967

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-20190

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Input validation error

EUVDB-ID: #VU21580

Risk: Medium

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-16942

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected application.

The vulnerability exists due to a Polymorphic Typing issue when processing JSON requests  within the org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSourc components. A remote attacker can send specially crafted JSON data to an RMI service endpoint and execute arbitrary code on he system.

Successful exploitation of the vulnerability requires that Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to send requests to.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Deserialization of Untrusted Data

EUVDB-ID: #VU49367

Risk: High

CVSSv3.1: 8.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-36188

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

4) Deserialization of Untrusted Data

EUVDB-ID: #VU27031

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-11619

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to affected software mishandles the interaction between serialization gadgets and typing, related to "org.springframework.aop.config.MethodLocatingFactoryBean" (aka spring-aop). A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Deserialization of Untrusted Data

EUVDB-ID: #VU29128

Risk: High

CVSSv3.1: 8.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-14195

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity). A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

6) Deserialization of Untrusted Data

EUVDB-ID: #VU26493

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-10672

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Input validation error

EUVDB-ID: #VU17778

Risk: High

CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-14719

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to fail to block blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization. A remote attacker can send a specially crafted request that submits malicious input to execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Input validation error

EUVDB-ID: #VU17780

Risk: High

CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-19360

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code.

The vulnerability exists due to fail to block the axis2-transport-jmsclass from polymorphic deserialization. A remote attacker can send a specially crafted request that submits malicious input to perform unauthorized actions on the system, which could allow the attacker to execute arbitrary code or cause a denial of service (DoS) condition.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Server-Side Request Forgery (SSRF)

EUVDB-ID: #VU17776

Risk: Low

CVSSv3.1: 5.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-14721

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to fail to block the axis2-jaxws class from polymorphic deserialization. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Deserialization of Untrusted Data

EUVDB-ID: #VU49375

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-36186

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Deserialization of Untrusted Data

EUVDB-ID: #VU49372

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-36181

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Deserialization of untrusted data

EUVDB-ID: #VU9128

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2017-7525

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to a deserialization flaw in the jackson-databind component. A remote attacker can send a specially crafted input to the readValue method of the ObjectMapper and execute arbitrary code with privileges of the target service.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

13) Input validation error

EUVDB-ID: #VU17781

Risk: High

CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-19362

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code.

The vulnerability exists due to fail to block the jboss-common-coreclass from polymorphic deserialization. A remote attacker can send a specially crafted request that submits malicious input to perform unauthorized actions on the system, which could allow the attacker to execute arbitrary code or cause a denial of service (DoS) condition.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Deserialization of Untrusted Data

EUVDB-ID: #VU49373

Risk: High

CVSSv3.1: 8.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-36184

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

15) Input validation error

EUVDB-ID: #VU21750

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-17531

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected software.

The vulnerability exists due to a Polymorphic Typing in jackson-databind when processing JSON requests. A remote attacker can send specially crafted JSON data to JNDI service and execute a malicious payload.

Successful exploitation of the vulnerability requires that Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Information disclosure

EUVDB-ID: #VU19937

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-14439

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a polymorphic typing issue when Default Typing is enabled for an externally exposed JSON endpoint and the service has the logback jar in the classpath. A remote attacker can send a specially crafted JSON message and gain unauthorized access to sensitive information on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Deserialization of Untrusted Data

EUVDB-ID: #VU26491

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-10968

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Deserialization of Untrusted Data

EUVDB-ID: #VU49374

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-36185

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Deserialization of untrusted data

EUVDB-ID: #VU10257

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2017-17485

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists in the FasterXML jackson-databind library due to improper validation of user-input handled by the readValue method of the ObjectMapper object. A remote attacker can send malicious input to the vulnerable method of a web application that uses the Spring library in the application's classpath and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

20) Resource management error

EUVDB-ID: #VU22577

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-12406

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the affected software does not restrict the number of message attachments present in a given message. A remote authenticated attacker can craft a message containing a very large number of message attachments and cause a denial of service condition on the target system.


Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) Data handling

EUVDB-ID: #VU11285

Risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-12624

CWE-ID: CWE-19 - Data Handling

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to data handling. A remote attacker can send specially crafted message attachment header and cause the service to crash.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

22) XML External Entity injection

EUVDB-ID: #VU27703

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-3720

CWE-ID: CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient validation of user-supplied XML input within the XmlMapper. A remote attacker can pass a specially crafted XML code to the affected application and view contents of arbitrary files on the system or initiate requests to external systems.

Successful exploitation of the vulnerability may allow an attacker to view contents of arbitrary file on the server or perform network scanning of internal and external infrastructure.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

23) Improper access control

EUVDB-ID: #VU11301

Risk: Low

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-8088

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote unauthenticated attacker to bypass access restrictions on the target system.

The weakness exists in the org.slf4j.ext.EventData class due to improper security restrictions. A remote attacker can send specially crafted input, bypass access restrictions and gain unauthorized access to perform further attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

24) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU19933

Risk: High

CVSSv3.1: 8.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-14379

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on a targeted system.

The vulnerability exists due to the "SubTypeValidator.java" file mishandles default typing when Ehcache is used. A remote attacker can send a request that submits malicious input to the targeted system and execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

25) Deserialization of Untrusted Data

EUVDB-ID: #VU29131

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-14061

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms). A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

26) Code Injection

EUVDB-ID: #VU46305

Risk: High

CVSSv3.1: 7.3 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-24616

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: Yes

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

27) Deserialization of Untrusted Data

EUVDB-ID: #VU19943

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-12023

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists when Default Typing is enabled and the service has the Oracle JDBC jar in the classpath. A remote attacker can provide an LDAP service to access and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

28) Deserialization of Untrusted Data

EUVDB-ID: #VU25833

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-14892

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data of a malicious object using commons-configuration 1 and 2 JNDI classes. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

29) Deserialization of Untrusted Data

EUVDB-ID: #VU26490

Risk: High

CVSSv3.1: 8.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-11113

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

30) Improper access control

EUVDB-ID: #VU24272

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-20330

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions related to net.sf.ehcache in FasterXML jackson-databind. A remote attacker can bypass implemented security restrictions and gain unauthorized access to the application.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

31) Deserialization of Untrusted Data

EUVDB-ID: #VU25834

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-14893

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as "enableDefaultTyping()" or when @JsonTypeInfo is using "Id.CLASS" or "Id.MINIMAL_CLASS" or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

32) Deserialization of Untrusted Data

EUVDB-ID: #VU26488

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-11111

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing, related to org.apache.activemq.*. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

33) Deserialization of Untrusted Data

EUVDB-ID: #VU49377

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-36189

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

34) Code Injection

EUVDB-ID: #VU25469

Risk: Medium

CVSSv3.1: 5.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-8840

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to absence of xbean-reflect/JNDI gadget blocking. A remote attacker can pass specially crafted input to the application and execute arbitrary Java code on the system, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

35) Information disclosure

EUVDB-ID: #VU21135

Risk: Medium

CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2019-14540

CWE-ID: CWE-200 - Information exposure

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a polymorphic typing issue in the "com.zaxxer.hikari.HikariConfig". A remote attacker can gain unauthorized access to sensitive information on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

36) Input validation error

EUVDB-ID: #VU17779

Risk: High

CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-19361

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code.

The vulnerability exists due to fail to block the openjpa class from polymorphic deserialization. A remote attacker can send a specially crafted request that submits malicious input to perform unauthorized actions on the system, which could allow the attacker to execute arbitrary code or cause a denial of service (DoS) condition.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

37) Remote code execution

EUVDB-ID: #VU17053

Risk: High

CVSSv3.1: 7.8 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-14718

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to the failure to block the slf4j-ext class from polymorphic deserialization. A remote attacker can execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

38) Deserialization of Untrusted Data

EUVDB-ID: #VU49370

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-36182

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

39) Input validation error

EUVDB-ID: #VU21470

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-10202

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to incorrect implementation of patch for Codehaus 1.9.x against insufficient data deserialization present in FasterXML jackson-databind. A remote attacker can bypass implemented protection measures and exploit known deserialization vulnerabilities in jackson-databind package.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

40) Deserialization of Untrusted Data

EUVDB-ID: #VU19018

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-12384

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to software allows the logback-core class to process polymorphic deserialization. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

41) Deserialization of Untrusted Data

EUVDB-ID: #VU49369

Risk: High

CVSSv3.1: 8.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-36180

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

42) XXE attack

EUVDB-ID: #VU17777

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-14720

CWE-ID: CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform XXE attacks.

The vulnerability exists due to fail to block unspecified Java Development Kit (JDK) classes from polymorphic deserialization. A remote attacker can send a specially crafted request that submits malicious input, conduct an XXE attack to access sensitive information, bypass security restrictions, or cause a denial of service (DoS) condition on the targeted system. 

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

43) Deserialization of Untrusted Data

EUVDB-ID: #VU49376

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-36187

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

44) Deserialization of untrusted data

EUVDB-ID: #VU11268

Risk: High

CVSSv3.1: 7.8 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-7489

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote unauthenticated attacker to bypass security restrictions and execute arbitrary code on the target system.

The weakness exists in the readValue method due to improper validation of user-input. A remote attacker can send malicious JSON input, bypass security restrictions and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

45) Deserialization of Untrusted Data

EUVDB-ID: #VU27032

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-11620

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to the affected software mishandles the interaction between serialization gadgets and typing, related to "org.apache.commons.jelly.impl.Embedded" (aka commons-jelly). A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

46) Remote code execution

EUVDB-ID: #VU9607

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-15095

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists in the jackson-databind development library due to improper implementation of blacklists for input handled by the ObjectMapper object readValue method. A remote unauthenticated attacker can send a malicious input and execute arbitrary code with elevated privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

47) Input validation error

EUVDB-ID: #VU21593

Risk: Medium

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-16943

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected application.

The vulnerability exists due to a Polymorphic Typing issue when processing JSON requests  within the com.p6spy.engine.spy.P6DataSource component. A remote attacker can send specially crafted JSON data to an RMI service endpoint and execute arbitrary code on he system.

Successful exploitation of the vulnerability requires that Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to send requests to.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

48) Deserialization of untrusted data

EUVDB-ID: #VU10610

Risk: High

CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-5968

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to deserialization flaw. A remote attacker can supply specially crafted input, execute arbitrary code and bypass a blacklist on the target system.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

49) Information disclosure

EUVDB-ID: #VU19941

Risk: Medium

CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2019-12086

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a polymorphic typing issue when Default Typing is enabled for an externally exposed JSON endpoint and the service has the mysql-connector-java jar in the classpath. A remote attacker can send a specially crafted JSON message and read arbitrary local files on the server due to the missing "com.mysql.cj.jdbc.admin.MiniAdmin" validation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

50) Deserialization of Untrusted Data

EUVDB-ID: #VU26494

Risk: High

CVSSv3.1: 8.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-10673

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

51) Information disclosure

EUVDB-ID: #VU18961

Risk: Medium

CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-12814

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to access sensitive information on a targeted system.

The vulnerability exist due to a polymorphic typing issue when Default Typing is enabled. A remote attacker can send a crafted JSON message that submits malicious input and gain access to sensitive information on the targeted system.


Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

52) Deserialization of Untrusted Data

EUVDB-ID: #VU49371

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-36183

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

53) Deserialization of Untrusted Data

EUVDB-ID: #VU25831

Risk: High

CVSSv3.1: 8.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-9547

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note: This vulnerability is related to:

  • com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap)

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

54) XML External Entity injection

EUVDB-ID: #VU48979

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-25649

CWE-ID: CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

Exploit availability: No

Description

The vulnerability allows a remote attacker to modify information on the system.

The vulnerability exists due to insufficient validation of user-supplied XML input. A remote attacker can pass a specially crafted XML code to the affected application and modify information on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

55) Out-of-bounds write

EUVDB-ID: #VU61799

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-36518

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error when processing untrusted input. A remote attacker can trigger out-of-bounds write and cause a denial of service condition on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

56) Deserialization of Untrusted Data

EUVDB-ID: #VU47105

Risk: High

CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-24750

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration. A remote attacker can execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

57) Deserialization of Untrusted Data

EUVDB-ID: #VU49368

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-36179

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

58) Deserialization of Untrusted Data

EUVDB-ID: #VU25832

Risk: High

CVSSv3.1: 8.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-9548

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note: This vulnerability is related to:

  • br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core)

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

59) Deserialization of Untrusted Data

EUVDB-ID: #VU29130

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-14062

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2). A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

60) Deserialization of Untrusted Data

EUVDB-ID: #VU29129

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-14060

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill). A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

61) Deserialization of Untrusted Data

EUVDB-ID: #VU19942

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-12022

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists when Default Typing is enabled and the service has the Jodd-db jar in the classpath. A remote attacker can provide an LDAP service to access and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

62) Deserialization of Untrusted Data

EUVDB-ID: #VU25830

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-9546

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note: This vulnerability is related to:

  • org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config)

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

63) Deserialization of Untrusted Data

EUVDB-ID: #VU26489

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-11112

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

64) Input validation error

EUVDB-ID: #VU21594

Risk: Medium

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-17267

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected application.

The vulnerability exists due to a Polymorphic Typing issue within the net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup component. A remote attacker can execute arbitrary code on he system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

65) Deserialization of Untrusted Data

EUVDB-ID: #VU19938

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-11307

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to the usage of default typing along with a gadget class from iBatis, which allows exfiltration of content. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

66) Information disclosure

EUVDB-ID: #VU21136

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-16335

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a polymorphic typing issue in the "com.zaxxer.hikari.HikariDataSource". A remote attacker can gain unauthorized access to sensitive information on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

67) Deserialization of Untrusted Data

EUVDB-ID: #VU26492

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-10969

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing, related to  javax.swing.JEditorPane. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

z/Transaction Processing Facility ( z/TPF): 1.1

CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-z-transaction-processing-facility-is-affected-by-multiple-vulnerabilities-in-the-jackson-databind-jackson-dataformat-xml-jackson-core-slf4j-ext-and-cxf-core-packages/
http://www.ibm.com/support/pages/node/6828455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###