SB2022060909 - Multiple vulnerabilities in IBM Process Mining
Published: June 9, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 57 secuirty vulnerabilities.
1) Deserialization of Untrusted Data (CVE-ID: CVE-2019-14892)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data of a malicious object using commons-configuration 1 and 2 JNDI classes. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) Deserialization of Untrusted Data (CVE-ID: CVE-2020-35491)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
3) Deserialization of Untrusted Data (CVE-ID: CVE-2020-35490)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
4) Deserialization of Untrusted Data (CVE-ID: CVE-2020-36186)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
5) Deserialization of Untrusted Data (CVE-ID: CVE-2020-11111)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing, related to org.apache.activemq.*. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
6) Input validation error (CVE-ID: CVE-2018-19361)
The disclosed vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code.
The vulnerability exists due to fail to block the openjpa class from polymorphic deserialization. A remote attacker can send a specially crafted request that submits malicious input to perform unauthorized actions on the system, which could allow the attacker to execute arbitrary code or cause a denial of service (DoS) condition.
7) Information disclosure (CVE-ID: CVE-2019-14439)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a polymorphic typing issue when Default Typing is enabled for an externally exposed JSON endpoint and the service has the logback jar in the classpath. A remote attacker can send a specially crafted JSON message and gain unauthorized access to sensitive information on the system.
8) Input validation error (CVE-ID: CVE-2019-17531)
The vulnerability allows a remote attacker to compromise the affected software.
The vulnerability exists due to a Polymorphic Typing in jackson-databind when processing JSON requests. A remote attacker can send specially crafted JSON data to JNDI service and execute a malicious payload.
Successful exploitation of the vulnerability requires that Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath.
9) Code Injection (CVE-ID: CVE-2020-24616)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).
10) Deserialization of Untrusted Data (CVE-ID: CVE-2020-10672)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
11) Deserialization of Untrusted Data (CVE-ID: CVE-2020-36188)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
12) Deserialization of Untrusted Data (CVE-ID: CVE-2020-9548)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: This vulnerability is related to:
- br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core)
13) Deserialization of Untrusted Data (CVE-ID: CVE-2020-10969)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing, related to javax.swing.JEditorPane. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
14) Deserialization of Untrusted Data (CVE-ID: CVE-2020-36185)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
15) Improper access control (CVE-ID: CVE-2019-20330)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions related to net.sf.ehcache in FasterXML jackson-databind. A remote attacker can bypass implemented security restrictions and gain unauthorized access to the application.
16) Deserialization of Untrusted Data (CVE-ID: CVE-2020-36187)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
17) Information disclosure (CVE-ID: CVE-2019-12086)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a polymorphic typing issue when Default Typing is enabled for an externally exposed JSON endpoint and the service has the mysql-connector-java jar in the classpath. A remote attacker can send a specially crafted JSON message and read arbitrary local files on the server due to the missing "com.mysql.cj.jdbc.admin.MiniAdmin" validation.
18) Deserialization of Untrusted Data (CVE-ID: CVE-2021-20190)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
19) Input validation error (CVE-ID: CVE-2018-19362)
The disclosed vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code.
The vulnerability exists due to fail to block the jboss-common-coreclass from polymorphic deserialization. A remote attacker can send a specially crafted request that submits malicious input to perform unauthorized actions on the system, which could allow the attacker to execute arbitrary code or cause a denial of service (DoS) condition.
20) Input validation error (CVE-ID: CVE-2019-17267)
The vulnerability allows a remote attacker to compromise the affected application.
The vulnerability exists due to a Polymorphic Typing issue within the net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup component. A remote attacker can execute arbitrary code on he system.
21) Deserialization of Untrusted Data (CVE-ID: CVE-2020-11112)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
22) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2018-14721)
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to fail to block the axis2-jaxws class from polymorphic deserialization. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
23) Deserialization of Untrusted Data (CVE-ID: CVE-2020-24750)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration. A remote attacker can execute arbitrary code on the target system.
24) Deserialization of Untrusted Data (CVE-ID: CVE-2020-36180)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
25) Remote code execution (CVE-ID: CVE-2018-14718)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to the failure to block the slf4j-ext class from polymorphic deserialization. A remote attacker can execute arbitrary code with elevated privileges.
26) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-14379)
The vulnerability allows a remote attacker to execute arbitrary code on a targeted system.
The vulnerability exists due to the "SubTypeValidator.java" file mishandles default typing when Ehcache is used. A remote attacker can send a request that submits malicious input to the targeted system and execute arbitrary code.
27) Deserialization of Untrusted Data (CVE-ID: CVE-2020-35728)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl). A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
28) Deserialization of Untrusted Data (CVE-ID: CVE-2020-9546)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: This vulnerability is related to:
- org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config)
29) Deserialization of Untrusted Data (CVE-ID: CVE-2020-11620)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to the affected software mishandles the interaction between serialization gadgets and typing, related to "org.apache.commons.jelly.impl.Embedded" (aka commons-jelly). A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
30) Deserialization of Untrusted Data (CVE-ID: CVE-2020-36182)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
31) Deserialization of Untrusted Data (CVE-ID: CVE-2020-36181)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
32) Code Injection (CVE-ID: CVE-2020-8840)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to absence of xbean-reflect/JNDI gadget blocking. A remote attacker can pass specially crafted input to the application and execute arbitrary Java code on the system, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
33) Deserialization of Untrusted Data (CVE-ID: CVE-2020-14195)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity). A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
34) Input validation error (CVE-ID: CVE-2019-16943)
The vulnerability allows a remote attacker to compromise the affected application.
The vulnerability exists due to a Polymorphic Typing issue when processing JSON requests within the com.p6spy.engine.spy.P6DataSource component. A remote attacker can send specially crafted JSON data to an RMI service endpoint and execute arbitrary code on he system.
Successful exploitation of the vulnerability requires that Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to send requests to.
35) Information disclosure (CVE-ID: CVE-2019-14540)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a polymorphic typing issue in the "com.zaxxer.hikari.HikariConfig". A remote attacker can gain unauthorized access to sensitive information on the system.
36) Input validation error (CVE-ID: CVE-2019-10202)
The vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to incorrect implementation of patch for Codehaus 1.9.x against insufficient data deserialization present in FasterXML jackson-databind. A remote attacker can bypass implemented protection measures and exploit known deserialization vulnerabilities in jackson-databind package.37) XML External Entity injection (CVE-ID: CVE-2020-25649)
The vulnerability allows a remote attacker to modify information on the system.
The vulnerability exists due to insufficient validation of user-supplied XML input. A remote attacker can pass a specially crafted XML code to the affected application and modify information on the system.
38) Deserialization of Untrusted Data (CVE-ID: CVE-2019-14893)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as "enableDefaultTyping()" or when @JsonTypeInfo is using "Id.CLASS" or "Id.MINIMAL_CLASS" or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
39) Deserialization of Untrusted Data (CVE-ID: CVE-2020-11619)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to affected software mishandles the interaction between serialization gadgets and typing, related to "org.springframework.aop.config.MethodLocatingFactoryBean" (aka spring-aop). A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
40) Deserialization of Untrusted Data (CVE-ID: CVE-2020-14061)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms). A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
41) Deserialization of Untrusted Data (CVE-ID: CVE-2020-11113)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
42) Information disclosure (CVE-ID: CVE-2019-12814)
43) Deserialization of Untrusted Data (CVE-ID: CVE-2020-36189)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
44) Input validation error (CVE-ID: CVE-2018-14719)
The disclosed vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to fail to block blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization. A remote attacker can send a specially crafted request that submits malicious input to execute arbitrary code.
Successful exploitation of the vulnerability may result in system compromise.
45) Deserialization of Untrusted Data (CVE-ID: CVE-2020-36179)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
46) Deserialization of Untrusted Data (CVE-ID: CVE-2020-9547)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: This vulnerability is related to:
- com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap)
47) Deserialization of Untrusted Data (CVE-ID: CVE-2020-36184)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
48) Deserialization of Untrusted Data (CVE-ID: CVE-2020-36183)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
49) Deserialization of Untrusted Data (CVE-ID: CVE-2019-12384)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to software allows the logback-core class to process polymorphic deserialization. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
50) Deserialization of Untrusted Data (CVE-ID: CVE-2020-10673)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
51) Input validation error (CVE-ID: CVE-2019-16942)
The vulnerability allows a remote attacker to compromise the affected application.
The vulnerability exists due to a Polymorphic Typing issue when processing JSON requests within the org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSourc components. A remote attacker can send specially crafted JSON data to an RMI service endpoint and execute arbitrary code on he system.
Successful exploitation of the vulnerability requires that Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to send requests to.
52) Input validation error (CVE-ID: CVE-2018-19360)
The disclosed vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code.
The vulnerability exists due to fail to block the axis2-transport-jmsclass from polymorphic deserialization. A remote attacker can send a specially crafted request that submits malicious input to perform unauthorized actions on the system, which could allow the attacker to execute arbitrary code or cause a denial of service (DoS) condition.
53) Deserialization of Untrusted Data (CVE-ID: CVE-2020-10968)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
54) XXE attack (CVE-ID: CVE-2018-14720)
The disclosed vulnerability allows a remote attacker to perform XXE attacks.
The vulnerability exists due to fail to block unspecified Java Development Kit (JDK) classes from polymorphic deserialization. A remote attacker can send a specially crafted request that submits malicious input, conduct an XXE attack to access sensitive information, bypass security restrictions, or cause a denial of service (DoS) condition on the targeted system.
55) Deserialization of Untrusted Data (CVE-ID: CVE-2020-14062)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2). A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
56) Information disclosure (CVE-ID: CVE-2019-16335)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a polymorphic typing issue in the "com.zaxxer.hikari.HikariDataSource". A remote attacker can gain unauthorized access to sensitive information on the system.
57) Deserialization of Untrusted Data (CVE-ID: CVE-2020-14060)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill). A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install update from vendor's website.
References
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/"
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-databind-affects-ibm-process-mining-multiple-cves/</a><br>
- https://www.ibm.com/support/pages/node/6593435<br><br></p>