Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.2235 Multiple vulnerabilities have been identified in jackson-databind 24 June 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: jackson-databind Publisher: Debian Operating System: Debian GNU/Linux 8 Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-12814 CVE-2019-12384 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running jackson-databind check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : jackson-databind Version : 2.4.2-2+deb8u7 CVE ID : CVE-2019-12384 CVE-2019-12814 Debian Bug : 930750 More Polymorphic Typing issues were discovered in jackson-databind. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x or logback-core jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server. For Debian 8 "Jessie", these problems have been fixed in version 2.4.2-2+deb8u7. We recommend that you upgrade your jackson-databind packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl0M8zBfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeTY4Q/9FfVWKCgD0UUDIdGRmNRutcG6vrkmD30bUd88QVafXC+IKWnvM8T1QDUQ eJrfEtI5Ao7EevfK5ark6XxYA1JVpqe4cLJtsV4/9VwgczJa2h4RNS52flDDPxZz oumtjbUFRT98wkmJDXn/4GiEDvHCtX2RtdoNtT1EDqB1IjYO4TcBUjgsT4yAUB8u kh4H8Md6ILeBV2+IUGg25oZypmp4ZQY/h1q4Hrfb9crLjLWkod/k1otAxrbJ10W0 Px2bb32MPVlYz+D8Q8YoMSoktuhwOjyi/DMHsIgeF2/h8qlLvrNe5AtX4VAcKc5z mGlNum0M57HgfxOwcmqMFruEcqtU8FIpbUqqZm8K+wtp6x5kQnrZn/eGVG/bih7c f9KDY2KixbSQZwW38FgQMZtbSbhF/Wsa0xHB1n0wXYLHsLlmaJiEmgVbAdcJQEi+ UHpw0MttJT9rXvYLfnK3+NseQ1e+V95m8lHb28z1cqXj4cdFKY14Nf4MpJw4EkXQ 3bvQeuzBaneQDjj1DDKalYSpjwtn1GO2kWfdAJqus8Qwe3aoWHy0TVtpCpQjJG9F vyhwwK58dJTx+YfOJPe3eKPy0UNQrS1nLJYjlj6A2cGUcaj5+YK2zCes8r9WT5Id oG1L7voMiTZVDiAs1Flo4PVO1fNI9VTSoTiEo3Ym4W1ksuvvZHY= =MAUn - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXRAcUWaOgq3Tt24GAQgZEhAAvQJeEZy+fzUlkxvPPCKZh7zjbDh2SaGU jc32dspE3wf7fuGpwJbpaDFOFZl+o3qg4EZIL8x9LOKOlkdymkB77VWL4MrtNIS9 lO+/RNqFGrMMtpgZwfC5iGZ3rX153PFI9gZ8L3SqrNBQCgXw8e0ORePXwttYj6gq x4VIB0X6AqtDlnlqhxujbV3ZqZ/K9jf/FfioVt04g87eh2yUNzFsTsbVUWXVCrIm rCYNSvuaY46fmWx9xI/gVCpgvkuM2YcevE7PEAE+vIIhxnqlS/zXb9/FJAsz7MKR LLK3bydX/PGDnIhy+uE85QtKPGvi22iVeuGjYDFQkOJT/FDuQwjJTFayb2wPMjz8 h5btiFyhoFA8I07hatI0CGgudhacRUXG3NBTgOMbtThpk2qOCwZNo6oIGj0+SdTA f9zTwkwplV5QMKe+gOzjFcETL6buzxdCk+IHWQ+hNb4Q/AKdICy4SLwka6GJvqfu 73bksmpsqQPnON4KBoNX9LSH9lk40lpa0y5bVtyQ9VCJGC+UVoPucOPpwLb/ETtg YfU6DFng93rRLsQqEkBmuHH5Ck1vkuPUq4+PLgwaCslfm8rI4Y5jUxSz+q4MKXiL pm4HsEsfBoGIlfbvFWggYO9N+jgGLAKqSvZ5bvYdwZT5to7QU6gUiq1CfnxDbPSl TDjC0eWEzHA= =Uuyp -----END PGP SIGNATURE-----