drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Mehrere Probleme in rh-maven35-jackson-databind
Name: |
Mehrere Probleme in rh-maven35-jackson-databind |
|
ID: |
RHSA-2019:0782-01 |
|
Distribution: |
Red Hat |
|
Plattformen: |
Red Hat Software Collections |
|
Datum: |
Mi, 17. April 2019, 23:34 |
|
Referenzen: |
https://access.redhat.com/security/cve/CVE-2018-14720
https://access.redhat.com/security/cve/CVE-2018-19361
https://access.redhat.com/security/cve/CVE-2018-12023
https://access.redhat.com/security/cve/CVE-2018-11307
https://access.redhat.com/security/cve/CVE-2018-19360
https://access.redhat.com/security/cve/CVE-2018-14719
https://access.redhat.com/security/cve/CVE-2018-14721
https://access.redhat.com/security/cve/CVE-2018-12022
https://access.redhat.com/security/cve/CVE-2018-19362
https://access.redhat.com/security/cve/CVE-2018-14718 |
|
Applikationen: |
Jackson |
|
Originalnachricht |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
===================================================================== Red Hat Security Advisory
Synopsis: Important: rh-maven35-jackson-databind security update Advisory ID: RHSA-2019:0782-01 Product: Red Hat Software Collections Advisory URL: https://access.redhat.com/errata/RHSA-2019:0782 Issue date: 2019-04-17 CVE Names: CVE-2018-11307 CVE-2018-12022 CVE-2018-12023 CVE-2018-14718 CVE-2018-14719 CVE-2018-14720 CVE-2018-14721 CVE-2018-19360 CVE-2018-19361 CVE-2018-19362 =====================================================================
1. Summary:
An update for rh-maven35-jackson-databind is now available for Red Hat Software Collections.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4) - noarch Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5) - noarch Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6) - noarch Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch
3. Description:
The jackson-databind package provides general data-binding functionality for Jackson, which works on top of Jackson core streaming API.
Security Fix(es):
* jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis (CVE-2018-11307)
* jackson-databind: improper polymorphic deserialization of types from Jodd-db library (CVE-2018-12022)
* jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver (CVE-2018-12023)
* jackson-databind: arbitrary code execution in slf4j-ext class (CVE-2018-14718)
* jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes (CVE-2018-14719)
* jackson-databind: improper polymorphic deserialization in axis2-transport-jms class (CVE-2018-19360)
* jackson-databind: improper polymorphic deserialization in openjpa class (CVE-2018-19361)
* jackson-databind: improper polymorphic deserialization in jboss-common-core class (CVE-2018-19362)
* jackson-databind: exfiltration/XXE in some JDK classes (CVE-2018-14720)
* jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class (CVE-2018-14721)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1666415 - CVE-2018-14718 jackson-databind: arbitrary code execution in slf4j-ext class 1666418 - CVE-2018-14719 jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes 1666423 - CVE-2018-14720 jackson-databind: exfiltration/XXE in some JDK classes 1666428 - CVE-2018-14721 jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class 1666482 - CVE-2018-19360 jackson-databind: improper polymorphic deserialization in axis2-transport-jms class 1666484 - CVE-2018-19361 jackson-databind: improper polymorphic deserialization in openjpa class 1666489 - CVE-2018-19362 jackson-databind: improper polymorphic deserialization in jboss-common-core class 1671096 - CVE-2018-12023 jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver 1671097 - CVE-2018-12022 jackson-databind: improper polymorphic deserialization of types from Jodd-db library 1677341 - CVE-2018-11307 jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis
6. Package List:
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):
Source: rh-maven35-jackson-databind-2.7.6-2.5.el7.src.rpm
noarch: rh-maven35-jackson-databind-2.7.6-2.5.el7.noarch.rpm rh-maven35-jackson-databind-javadoc-2.7.6-2.5.el7.noarch.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):
Source: rh-maven35-jackson-databind-2.7.6-2.5.el7.src.rpm
noarch: rh-maven35-jackson-databind-2.7.6-2.5.el7.noarch.rpm rh-maven35-jackson-databind-javadoc-2.7.6-2.5.el7.noarch.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4):
Source: rh-maven35-jackson-databind-2.7.6-2.5.el7.src.rpm
noarch: rh-maven35-jackson-databind-2.7.6-2.5.el7.noarch.rpm rh-maven35-jackson-databind-javadoc-2.7.6-2.5.el7.noarch.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5):
Source: rh-maven35-jackson-databind-2.7.6-2.5.el7.src.rpm
noarch: rh-maven35-jackson-databind-2.7.6-2.5.el7.noarch.rpm rh-maven35-jackson-databind-javadoc-2.7.6-2.5.el7.noarch.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6):
Source: rh-maven35-jackson-databind-2.7.6-2.5.el7.src.rpm
noarch: rh-maven35-jackson-databind-2.7.6-2.5.el7.noarch.rpm rh-maven35-jackson-databind-javadoc-2.7.6-2.5.el7.noarch.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):
Source: rh-maven35-jackson-databind-2.7.6-2.5.el7.src.rpm
noarch: rh-maven35-jackson-databind-2.7.6-2.5.el7.noarch.rpm rh-maven35-jackson-databind-javadoc-2.7.6-2.5.el7.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2018-11307 https://access.redhat.com/security/cve/CVE-2018-12022 https://access.redhat.com/security/cve/CVE-2018-12023 https://access.redhat.com/security/cve/CVE-2018-14718 https://access.redhat.com/security/cve/CVE-2018-14719 https://access.redhat.com/security/cve/CVE-2018-14720 https://access.redhat.com/security/cve/CVE-2018-14721 https://access.redhat.com/security/cve/CVE-2018-19360 https://access.redhat.com/security/cve/CVE-2018-19361 https://access.redhat.com/security/cve/CVE-2018-19362 https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBXLeUUdzjgjWX9erEAQjCgRAAiPsyahv9+018QOC0Og4f3PqS1+72/9EZ psiznlC4rHBBZNVTTDl3l+etFPn4lup/2vqYARJiymeDcsha8EhLda/uoLQ3h7ir zRnD98RYvSkS37Htu/FrzqVMF+5CglTqwi7HX1fLx1+Lj1S3HHGQ6/gSPf5ip2tI bV21UFQ4GlCqw/FANp5QSSAfX6GFQUb1Vx2Y3j8sgdFtcyMUepaZ+ZY+Hoc//Y5U NN8fx90BrRAF7j77phv6IcuQUxmn9ieV2pMcKTRSdtEVnd2c76zFnqusJ7hglj5w a2ULXjiBuQYipac7Hi3Zy6LRX+8cw367ryqHqJCW48VxEFZxTWkuzD58CZfIdos0 H5sgwgnymZiPgNp8XY2GTBoc39eqggW3WDe5VGorHEqAIk46dClsasjjCtUOSVTj Uawqnh9hbbzUnRakR0Q/yVuXIXzi9W4O3aP6zGEEsO6C4Y96Gp7LWuZRY9JWjtyL MTDJC/j2CAcASautmWn4fP8ar/wjTxCw5zpn8paHc1imZgTFiyw1lwH/y0FJOG9e JXIiWRzN6VD5e7xj46ehU/Z9T97XTgKwpYd/zvdT/Tm3EtfaIGk6rGMtuDHgk862 I29yBVnw8gZWJ8D1vUOcykDuJ/rcU/vbdAXIxjzK8rbXk3RVduRZSOroQJQ03gk+ zJxa94RMC2M= =62uE -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce
|
|
|
|