Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.2235
Multiple vulnerabilities have been identified in jackson-databind
24 June 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: jackson-databind
Publisher: Debian
Operating System: Debian GNU/Linux 8
Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-12814 CVE-2019-12384
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running jackson-databind check for an updated version of the
software for their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : jackson-databind
Version : 2.4.2-2+deb8u7
CVE ID : CVE-2019-12384 CVE-2019-12814
Debian Bug : 930750
More Polymorphic Typing issues were discovered in jackson-databind. When
Default Typing is enabled (either globally or for a specific property)
for an externally exposed JSON endpoint and the service has JDOM 1.x or
2.x or logback-core jar in the classpath, an attacker can send a
specifically crafted JSON message that allows them to read arbitrary
local files on the server.
For Debian 8 "Jessie", these problems have been fixed in version
2.4.2-2+deb8u7.
We recommend that you upgrade your jackson-databind packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl0M8zBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeTY4Q/9FfVWKCgD0UUDIdGRmNRutcG6vrkmD30bUd88QVafXC+IKWnvM8T1QDUQ
eJrfEtI5Ao7EevfK5ark6XxYA1JVpqe4cLJtsV4/9VwgczJa2h4RNS52flDDPxZz
oumtjbUFRT98wkmJDXn/4GiEDvHCtX2RtdoNtT1EDqB1IjYO4TcBUjgsT4yAUB8u
kh4H8Md6ILeBV2+IUGg25oZypmp4ZQY/h1q4Hrfb9crLjLWkod/k1otAxrbJ10W0
Px2bb32MPVlYz+D8Q8YoMSoktuhwOjyi/DMHsIgeF2/h8qlLvrNe5AtX4VAcKc5z
mGlNum0M57HgfxOwcmqMFruEcqtU8FIpbUqqZm8K+wtp6x5kQnrZn/eGVG/bih7c
f9KDY2KixbSQZwW38FgQMZtbSbhF/Wsa0xHB1n0wXYLHsLlmaJiEmgVbAdcJQEi+
UHpw0MttJT9rXvYLfnK3+NseQ1e+V95m8lHb28z1cqXj4cdFKY14Nf4MpJw4EkXQ
3bvQeuzBaneQDjj1DDKalYSpjwtn1GO2kWfdAJqus8Qwe3aoWHy0TVtpCpQjJG9F
vyhwwK58dJTx+YfOJPe3eKPy0UNQrS1nLJYjlj6A2cGUcaj5+YK2zCes8r9WT5Id
oG1L7voMiTZVDiAs1Flo4PVO1fNI9VTSoTiEo3Ym4W1ksuvvZHY=
=MAUn
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXRAcUWaOgq3Tt24GAQgZEhAAvQJeEZy+fzUlkxvPPCKZh7zjbDh2SaGU
jc32dspE3wf7fuGpwJbpaDFOFZl+o3qg4EZIL8x9LOKOlkdymkB77VWL4MrtNIS9
lO+/RNqFGrMMtpgZwfC5iGZ3rX153PFI9gZ8L3SqrNBQCgXw8e0ORePXwttYj6gq
x4VIB0X6AqtDlnlqhxujbV3ZqZ/K9jf/FfioVt04g87eh2yUNzFsTsbVUWXVCrIm
rCYNSvuaY46fmWx9xI/gVCpgvkuM2YcevE7PEAE+vIIhxnqlS/zXb9/FJAsz7MKR
LLK3bydX/PGDnIhy+uE85QtKPGvi22iVeuGjYDFQkOJT/FDuQwjJTFayb2wPMjz8
h5btiFyhoFA8I07hatI0CGgudhacRUXG3NBTgOMbtThpk2qOCwZNo6oIGj0+SdTA
f9zTwkwplV5QMKe+gOzjFcETL6buzxdCk+IHWQ+hNb4Q/AKdICy4SLwka6GJvqfu
73bksmpsqQPnON4KBoNX9LSH9lk40lpa0y5bVtyQ9VCJGC+UVoPucOPpwLb/ETtg
YfU6DFng93rRLsQqEkBmuHH5Ck1vkuPUq4+PLgwaCslfm8rI4Y5jUxSz+q4MKXiL
pm4HsEsfBoGIlfbvFWggYO9N+jgGLAKqSvZ5bvYdwZT5to7QU6gUiq1CfnxDbPSl
TDjC0eWEzHA=
=Uuyp
-----END PGP SIGNATURE-----