{"id":"MGASA-2021-0153","summary":"Updated jackson-databind packages fix security vulnerabilities","details":"A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x\nbefore 2.9.9. When Default Typing is enabled (either globally or for a specific\nproperty) for an externally exposed JSON endpoint, the service has the\nmysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker\ncan host a crafted MySQL server reachable by the victim, an attacker can send\na crafted JSON message that allows them to read arbitrary local files on the\nserver. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin\nvalidation (CVE-2019-12086).\n\nFasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a\nvariety of impacts by leveraging failure to block the logback-core class from\npolymorphic deserialization. Depending on the classpath content, remote code\nexecution may be possible (CVE-2019-12384).\n\nA Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x\nthrough 2.9.9. When Default Typing is enabled (either globally or for a specific\nproperty) for an externally exposed JSON endpoint and the service has JDOM\n1.x or 2.x jar in the classpath, an attacker can send a specifically crafted\nJSON message that allows them to read arbitrary local files on the server\n(CVE-2019-12814).\n\nSubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles\ndefault typing when ehcache is used (because of\nnet.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup),\nleading to remote code execution (CVE-2019-14379).\n\nA Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x\nbefore 2.9.9.2. This occurs when Default Typing is enabled (either globally or\nfor a specific property) for an externally exposed JSON endpoint and the\nservice has the logback jar in the classpath (CVE-2019-14439).\n\nA Polymorphic Typing issue was discovered in FasterXML jackson-databind before\n2.9.10. It is related to com.zaxxer.hikari.HikariConfig (CVE-2019-14540).\n\nA Polymorphic Typing issue was discovered in FasterXML jackson-databind before\n2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different\nvulnerability than CVE-2019-14540 (CVE-2019-16335).\n\nA Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0\nthrough 2.9.10. When Default Typing is enabled (either globally or for a\nspecific property) for an externally exposed JSON endpoint and the service has\nthe commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI\nservice endpoint to access, it is possible to make the service execute a\nmalicious payload. This issue exists because of\norg.apache.commons.dbcp.datasources.SharedPoolDataSource and\norg.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling\n(CVE-2019-16942).\n\nA Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0\nthrough 2.9.10. When Default Typing is enabled (either globally or for a\nspecific property) for an externally exposed JSON endpoint and the service has\nthe p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI\nservice endpoint to access, it is possible to make the service execute a\nmalicious payload. This issue exists because of\ncom.p6spy.engine.spy.P6DataSource mishandling (CVE-2019-16943).\n\nA Polymorphic Typing issue was discovered in FasterXML jackson-databind before\n2.9.10. It is related to\nnet.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup (CVE-2019-17267).\n\nA Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0\nthrough 2.9.10. When Default Typing is enabled (either globally or for a\nspecific property) for an externally exposed JSON endpoint and the service has \nthe apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker\ncan provide a JNDI service to access, it is possible to make the service\nexecute a malicious payload (CVE-2019-17531).\n\nFasterXML jackson-databind 2.x before 2.9.10.2 lacks certain\nnet.sf.ehcache blocking (CVE-2019-20330).\n\nFasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI\nblocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter\n(CVE-2020-8840).\n\nFasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction\nbetween serialization gadgets and typing, related to\norg.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config)\n(CVE-2020-9546).\n\nFasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction\nbetween serialization gadgets and typing, related to\ncom.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap)\n(CVE-2020-9547).\n\nFasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction\nbetween serialization gadgets and typing, related to\nbr.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core) (CVE-2020-9548).\n\nFasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction\nbetween serialization gadgets and typing, related to\norg.apache.aries.transaction.jms.internal.XaPooledConnectionFactory\n(aka aries.transaction.jms) (CVE-2020-10672).\n\nFasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction\nbetween serialization gadgets and typing, related to\ncom.caucho.config.types.ResourceRef (aka caucho-quercus) (CVE-2020-10673).\n\nFasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction\nbetween serialization gadgets and typing, related to\norg.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy)\n(CVE-2020-10968).\n\nFasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction\nbetween serialization gadgets and typing, related to javax.swing.JEditorPane\n(CVE-2020-10969).\n\nFasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction\nbetween serialization gadgets and typing, related to org.apache.activemq.*\n(aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms)\n(CVE-2020-11111). \n\nFasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction\nbetween serialization gadgets and typing, related to\norg.apache.commons.proxy.provider.remoting.RmiProvider\n(aka apache/commons-proxy) (CVE-2020-11112).\n\nFasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction\nbetween serialization gadgets and typing, related to\norg.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa) (CVE-2020-11113).\n\nFasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction\nbetween serialization gadgets and typing, related to\norg.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop)\n(CVE-2020-11619).\n\nFasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction\nbetween serialization gadgets and typing, related to\norg.apache.commons.jelly.impl.Embedded (aka commons-jelly) (CVE-2020-11620).\n\nFasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between\nserialization gadgets and typing, related to\noadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill)\n(CVE-2020-14060).\n\nFasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction\nbetween serialization gadgets and typing, related to\noracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory,\noracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory,\nand oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).\n(CVE-2020-14061).\n\nFasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction\nbetween serialization gadgets and typing, related to\ncom.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2)\n(CVE-2020-14062).\n\nFasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction\nbetween serialization gadgets and typing, related to\norg.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity) (CVE-2020-14195).\n\nA flaw was found in FasterXML Jackson Databind, where it did not have entity\nexpansion secured properly. This flaw allows vulnerability to XML external\nentity (XXE) attacks. The highest threat from this vulnerability is data\nintegrity (CVE-2020-25649).\n\nFasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction\nbetween serialization gadgets and typing, related to\ncom.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded\nXalan in org.glassfish.web/javax.servlet.jsp.jstl) (CVE-2020-35728).\n\nA flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles\nthe interaction between serialization gadgets and typing. The highest threat\nfrom this vulnerability is to data confidentiality and integrity as well as\nsystem availability (CVE-2021-20190).\n","modified":"2026-02-04T02:23:21.788088Z","published":"2021-03-27T14:27:02Z","related":["CVE-2019-12086","CVE-2019-12384","CVE-2019-12814","CVE-2019-14379","CVE-2019-14439","CVE-2019-14540","CVE-2019-16335","CVE-2019-16942","CVE-2019-16943","CVE-2019-17267","CVE-2019-17531","CVE-2019-20330","CVE-2020-10672","CVE-2020-10673","CVE-2020-10968","CVE-2020-10969","CVE-2020-11111","CVE-2020-11112","CVE-2020-11113","CVE-2020-11619","CVE-2020-11620","CVE-2020-14060","CVE-2020-14061","CVE-2020-14062","CVE-2020-14195","CVE-2020-25649","CVE-2020-35728","CVE-2020-8840","CVE-2020-9546","CVE-2020-9547","CVE-2020-9548","CVE-2021-20190"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2021-0153.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=25266"},{"type":"REPORT","url":"https://www.debian.org/security/2019/dsa-4452"},{"type":"REPORT","url":"https://www.debian.org/security/2019/dsa-4542"},{"type":"REPORT","url":"https://www.debian.org/lts/security/2019/dla-2030"},{"type":"REPORT","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC/"},{"type":"REPORT","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4JYW4U272JPM7AYVNENNTWYYYAAQ4TZO/"},{"type":"REPORT","url":"https://www.debian.org/lts/security/2020/dla-2111"},{"type":"REPORT","url":"https://www.debian.org/lts/security/2020/dla-2135"},{"type":"REPORT","url":"https://www.debian.org/lts/security/2020/dla-2153"},{"type":"REPORT","url":"https://www.debian.org/lts/security/2020/dla-2179"},{"type":"REPORT","url":"https://access.redhat.com/errata/RHSA-2020:1523"},{"type":"REPORT","url":"https://www.debian.org/lts/security/2020/dla-2406"},{"type":"REPORT","url":"https://access.redhat.com/errata/RHSA-2020:4366"},{"type":"REPORT","url":"https://lists.suse.com/pipermail/sle-security-updates/2021-January/008253.html"},{"type":"REPORT","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6X2UT4X6M7DLQYBOOHMXBWGYJ65RL2CT/"}],"affected":[{"package":{"name":"jackson-databind","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/jackson-databind?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.9.8-1.2.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0153.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}