Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.1368 jackson-databind security update 20 April 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: FasterXML jackson-databind Publisher: Debian Operating System: Debian GNU/Linux 8 UNIX variants (UNIX, Linux, OSX) Impact/Access: Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2020-11620 CVE-2020-11619 CVE-2020-11113 CVE-2020-11112 CVE-2020-11111 CVE-2020-10969 CVE-2020-10968 Original Bulletin: https://www.debian.org/lts/security/2020/dla-2179 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running FasterXML jackson-databind check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Package : jackson-databind Version : 2.4.2-2+deb8u14 CVE ID : CVE-2020-10968 CVE-2020-10969 CVE-2020-11111 CVE-2020-11112 CVE-2020-11113 CVE-2020-11619 CVE-2020-11620 Following CVEs were reported against the jackson-databind source package : CVE-2020-10968 FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy). CVE-2020-10969 FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane. CVE-2020-11111 FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms). CVE-2020-11112 FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy). CVE-2020-11113 FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa). CVE-2020-11619 FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop). CVE-2020-11620 FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly). For Debian 8 "Jessie", these problems have been fixed in version 2.4.2-2+deb8u14. We recommend that you upgrade your jackson-databind packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Best, Utkarsh - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl6aQQwACgkQgj6WdgbD S5Y7kBAAvmbmDnwXRoKyWxdY5wSB2gvTT/kaSeTT/EcnAiLHdlLj1XSgb9TqanXa fTWVsQivLNz3Pn4tY5qcniJRnabnhRbRxgHeF30L9cXecX6mnuloikUGllMcSiko 6S22Qgir0eJMdF/x2AqW1csb4z3MWylwOGmiqERT0VbIiF3Fhann2H3gnhZLj4Yc qmXv/mnSxrUldgchHCNbTg44iVnO+gz/R3HzTswzc24IaPCKBpIO14N5Jn5ew34q pp+2ZsuFmfCBvTcgbK0BS6mPrqrqKX1t+Y1vJXP/RUH0A5rD10PEEkrxbrpXJ0F+ MIpu1+DEVVHn6F5fFsjrdfdIZe9ce21ooyKhUyfLdrrbcuM98gvOCDc6bN+CrJVn x2fQLRpOysCuDALqokSmD5+LmeSIVUJKIiCL78dbRkxHrsCnOHP3GOE8RXLPLf+W V8WDMwLmrohdN1PMFmTIVGrmb5Qo5fqZzywOr3MuDdxC4G66PzrAqhKbieBB/d8K pqB2V6r9lC4MX1xEu8Fgg6UTdLqLAKesjyAONX5W+oYlafLp0GjmeyqBEgmdT/oW I9MsuH/oG0WY6GoaciUVzNKowa1AePsg+C3nz7zPdtT1b9uwr/dXy4KBW6hE3IKz 7Z6NzIabMf1HQkr2FJ2NDQaCWvg1KUX2xadhRlN84HYbVPMHqX0= =a84X - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXpz8jmaOgq3Tt24GAQgLvA/+LrtS4r6Ue8BlekBEzbRe2PAduBrpXq1a 0m1uRDK5qpYz0/YY0S9XloXUqxiqZp5OfOrsHIjjaOg4+KxbjcJBFfawL5qM5s1G MODx738HpI8I0gFFh/crG8XIvuum4KFQKQy4yJZd8buV4ZqG+pPkzMC7KA9OHo12 OH+MbzzOi9PLuYzQnbx7SqzBM9/HhIOrfNWLzRwe7FKEpcf3hkqDfA0tLPu4xB/X z3C0CY94mcO4iCMJIdH2eo0ImltF6fCKSjfbffJIGOrLij2EjDixpB4js8xc2oi2 ILkefibvGTWId4dlSiiQPoLIJd8+3lv3F+WmifHvTYxWL1LTTAOanSs23V9jBpo2 hLuCbZprJP9HFoqJDqpMD8TWQ7teaYLU7PS+C3cuM0rBRhoPeJdwRXxYNVKjoULD 1WiDfsAeV6+7IGB7H41X55gL9wkJ36rl5nUHQtlb31Esix3/GGhz7N6OuHxMq6gm f7+JO94IXxvMq/m5s3ZlbxZOh+liZH1lwTKOhChfTu/5JrWyvNyqjaA6+6eIkwYa f7NxeK07zgIv5ZCYjuSlWZfQCZITczSJO9zurK8AWmwssYE3B12PLqUxW9nsJQkM 2JW+7W+WbMJY+XIAS8KKYftPlKuPJzaA6vmBWxDis4J3br92QklVVzkTkiZ8xUqT IRf15FwuZuo= =tUrw -----END PGP SIGNATURE-----