SB2018121501 - Multiple vulnerabilities in FasterXML jackson-databind

Description

This security bulletin contains information about 6 secuirty vulnerabilities.

1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2018-14721)

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to fail to block the axis2-jaxws class from polymorphic deserialization. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.

2) XXE attack (CVE-ID: CVE-2018-14720)

The disclosed vulnerability allows a remote attacker to perform XXE attacks.

The vulnerability exists due to fail to block unspecified Java Development Kit (JDK) classes from polymorphic deserialization. A remote attacker can send a specially crafted request that submits malicious input, conduct an XXE attack to access sensitive information, bypass security restrictions, or cause a denial of service (DoS) condition on the targeted system. 

3) Input validation error (CVE-ID: CVE-2018-14719)

The disclosed vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to fail to block blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization. A remote attacker can send a specially crafted request that submits malicious input to execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

4) Input validation error (CVE-ID: CVE-2018-19361)

The disclosed vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code.

The vulnerability exists due to fail to block the openjpa class from polymorphic deserialization. A remote attacker can send a specially crafted request that submits malicious input to perform unauthorized actions on the system, which could allow the attacker to execute arbitrary code or cause a denial of service (DoS) condition.

5) Input validation error (CVE-ID: CVE-2018-19360)

The disclosed vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code.

The vulnerability exists due to fail to block the axis2-transport-jmsclass from polymorphic deserialization. A remote attacker can send a specially crafted request that submits malicious input to perform unauthorized actions on the system, which could allow the attacker to execute arbitrary code or cause a denial of service (DoS) condition.

6) Input validation error (CVE-ID: CVE-2018-19362)

The disclosed vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code.

The vulnerability exists due to fail to block the jboss-common-coreclass from polymorphic deserialization. A remote attacker can send a specially crafted request that submits malicious input to perform unauthorized actions on the system, which could allow the attacker to execute arbitrary code or cause a denial of service (DoS) condition.

Remediation

Install update from vendor's website.

References

• https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44
• https://github.com/FasterXML/jackson-databind/issues/2097
• https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7
• https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
• https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b
• https://github.com/FasterXML/jackson-databind/issues/2186
• https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8
• https://issues.apache.org/jira/browse/TINKERPOP-2121