Debian LTS Advisory ([SECURITY] [DLA 1943-1] jackson-databind security update)

Published: 2019-10-03 02:00:14
CVE Author: NIST National Vulnerability Database (NVD)

CVSS Base Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Summary:
The remote host is missing an update for the 'jackson-databind' Linux Distribution Package(s) announced via the DSA-1943-1 advisory.

Detection Method:
Checks if a vulnerable Linux Distribution Package version is present on the target host.

Technical Details:
More deserialization flaws were discovered in jackson-databind relating to the classes in com.zaxxer.hikari.HikariConfig, com.zaxxer.hikari.HikariDataSource, commons-dbcp and com.p6spy.engine.spy.P6DataSource, which could allow an unauthenticated user to perform remote code execution. The issue was resolved by extending the blacklist and blocking more classes from polymorphic deserialization.

Affected Versions:
'jackson-databind' Linux Distribution Package(s) on Debian Linux.

Recommendations:
For Debian 8 'Jessie', these problems have been fixed in version 2.4.2-2+deb8u9. We recommend that you upgrade your jackson-databind Linux Distribution Packages.

Solution Type:
Vendor Patch

Detection Type:
Linux Distribution Package

NIST (National Institute of Standards and Technology) NVD (National Vulnerability Database)

https://nvd.nist.gov/vuln/detail/CVE-2019-14540
https://nvd.nist.gov/vuln/detail/CVE-2019-16335
https://nvd.nist.gov/vuln/detail/CVE-2019-16942
https://nvd.nist.gov/vuln/detail/CVE-2019-16943

References:

https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html
https://security-tracker.debian.org/tracker/DLA-1943-1
https://bugs.debian.org/940498
https://bugs.debian.org/941530

Search
Severity
High
CVSS Score
7.5

You never have to pay for a vulnerability scanning and management software again.

Tired of paying a subscription 'per asset' or 'per IP'? Well you can officially cancel your current subscription. Mageni provides a free, open source and enterprise-ready vulnerability scanning and management platform which helps you to find, prioritize, remediate and manage your vulnerabilities. It is free and always will be.