Anolis OS update for pki-deps:10.6 module
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2025-52999 |
| CWE-ID | CWE-119 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Anolis OS Operating systems & Components / Operating system jackson-parent Operating systems & Components / Operating system package or component jackson-modules-base Operating systems & Components / Operating system package or component jackson-module-jaxb-annotations Operating systems & Components / Operating system package or component jackson-jaxrs-providers Operating systems & Components / Operating system package or component jackson-jaxrs-json-provider Operating systems & Components / Operating system package or component jackson-databind Operating systems & Components / Operating system package or component jackson-core Operating systems & Components / Operating system package or component jackson-bom Operating systems & Components / Operating system package or component jackson-annotations Operating systems & Components / Operating system package or component fasterxml-oss-parent Operating systems & Components / Operating system package or component resteasy Operating systems & Components / Operating system package or component pki-servlet-engine Operating systems & Components / Operating system package or component glassfish-jaxb-txw2 Operating systems & Components / Operating system package or component glassfish-jaxb-runtime Operating systems & Components / Operating system package or component glassfish-jaxb-core Operating systems & Components / Operating system package or component xsom Operating systems & Components / Operating system package or component xmlstreambuffer Operating systems & Components / Operating system package or component xml-commons-resolver Operating systems & Components / Operating system package or component xml-commons-apis Operating systems & Components / Operating system package or component xerces-j2 Operating systems & Components / Operating system package or component xalan-j2 Operating systems & Components / Operating system package or component velocity Operating systems & Components / Operating system package or component stax-ex Operating systems & Components / Operating system package or component slf4j-jdk14 Operating systems & Components / Operating system package or component relaxngDatatype Operating systems & Components / Operating system package or component javassist-javadoc Operating systems & Components / Operating system package or component javassist Operating systems & Components / Operating system package or component jakarta-commons-httpclient Operating systems & Components / Operating system package or component glassfish-jaxb-api Operating systems & Components / Operating system package or component glassfish-fastinfoset Operating systems & Components / Operating system package or component bea-stax-api Operating systems & Components / Operating system package or component apache-commons-net Operating systems & Components / Operating system package or component apache-commons-lang Operating systems & Components / Operating system package or component apache-commons-collections Operating systems & Components / Operating system package or component slf4j Operating systems & Components / Operating system package or component |
| Vendor | OpenAnolis |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Buffer overflow
EUVDB-ID: #VU112106
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-52999
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error when parsing deeply nested JSON files. A remote attacker can pass a specially crafted JSON file to the application, trigger memory corruption and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
jackson-parent: before 2.19.1-1
jackson-modules-base: before 2.19.1-1
jackson-module-jaxb-annotations: before 2.19.1-1
jackson-jaxrs-providers: before 2.19.1-1
jackson-jaxrs-json-provider: before 2.19.1-1
jackson-databind: before 2.19.1-1
jackson-core: before 2.19.1-1
jackson-bom: before 2.19.1-1
jackson-annotations: before 2.19.1-1
fasterxml-oss-parent: before 69-1
resteasy: before 3.0.26-7
pki-servlet-engine: before 9.0.62-1
glassfish-jaxb-txw2: before 2.2.11-12
glassfish-jaxb-runtime: before 2.2.11-12
glassfish-jaxb-core: before 2.2.11-12
xsom: before 0-19.20110809svn
xmlstreambuffer: before 1.5.4-8
xml-commons-resolver: before 1.2-26
xml-commons-apis: before 1.4.01-25
xerces-j2: before 2.11.0-34
xalan-j2: before 2.7.1-38
velocity: before 1.7-24
stax-ex: before 1.7.7-8
slf4j-jdk14: before 1.7.25-4
relaxngDatatype: before 2011.1-7
javassist-javadoc: before 3.18.1-8
javassist: before 3.18.1-8
jakarta-commons-httpclient: before 3.1-28
glassfish-jaxb-api: before 2.2.12-8
glassfish-fastinfoset: before 1.2.13-9
bea-stax-api: before 1.2.0-16
apache-commons-net: before 3.6-3
apache-commons-lang: before 2.6-21
apache-commons-collections: before 3.2.2-10
slf4j: before 1.7.25-4
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:a:openanolis:jackson-parent:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:jackson-modules-base:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:jackson-module-jaxb-annotations:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:jackson-jaxrs-providers:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:jackson-jaxrs-json-provider:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:jackson-databind:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:jackson-core:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:jackson-bom:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:jackson-annotations:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:fasterxml-oss-parent:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:resteasy:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:pki-servlet-engine:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:glassfish-jaxb-txw2:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:glassfish-jaxb-runtime:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:glassfish-jaxb-core:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:xsom:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:xmlstreambuffer:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:xml-commons-resolver:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:xml-commons-apis:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:xerces-j2:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:xalan-j2:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:velocity:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:stax-ex:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:slf4j-jdk14:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:relaxngdatatype:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:javassist-javadoc:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:javassist:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:jakarta-commons-httpclient:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:glassfish-jaxb-api:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:glassfish-fastinfoset:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:bea-stax-api:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:apache-commons-net:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:apache-commons-lang:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:apache-commons-collections:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:slf4j:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2025:0605
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
