[SECURITY] [DLA 1831-1] jackson-databind security update

2019-06-2115:09:36

lists.debian.org

315

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

0.007 Low

EPSS

Percentile

80.1%

JSON

Package : jackson-databind
Version : 2.4.2-2+deb8u7
CVE ID : CVE-2019-12384 CVE-2019-12814
Debian Bug : 930750

More Polymorphic Typing issues were discovered in jackson-databind. When
Default Typing is enabled (either globally or for a specific property)
for an externally exposed JSON endpoint and the service has JDOM 1.x or
2.x or logback-core jar in the classpath, an attacker can send a
specifically crafted JSON message that allows them to read arbitrary
local files on the server.

For Debian 8 "Jessie", these problems have been fixed in version
2.4.2-2+deb8u7.

We recommend that you upgrade your jackson-databind packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian8alljackson-databind< 2.4.2-2+deb8u7jackson-databind_2.4.2-2+deb8u7_all.deb
Debian8alllibjackson2-databind-java-doc< 2.4.2-2+deb8u7libjackson2-databind-java-doc_2.4.2-2+deb8u7_all.deb
Debian9alllibjackson2-databind-java-doc< 2.8.6-1+deb9u6libjackson2-databind-java-doc_2.8.6-1+deb9u6_all.deb
Debian8alllibjackson2-databind-java< 2.4.2-2+deb8u7libjackson2-databind-java_2.4.2-2+deb8u7_all.deb
Debian9alljackson-databind< 2.8.6-1+deb9u6jackson-databind_2.8.6-1+deb9u6_all.deb
Debian9alllibjackson2-databind-java< 2.8.6-1+deb9u6libjackson2-databind-java_2.8.6-1+deb9u6_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	all	jackson-databind	< 2.4.2-2+deb8u7	jackson-databind_2.4.2-2+deb8u7_all.deb
Debian	8	all	libjackson2-databind-java-doc	< 2.4.2-2+deb8u7	libjackson2-databind-java-doc_2.4.2-2+deb8u7_all.deb
Debian	9	all	libjackson2-databind-java-doc	< 2.8.6-1+deb9u6	libjackson2-databind-java-doc_2.8.6-1+deb9u6_all.deb
Debian	8	all	libjackson2-databind-java	< 2.4.2-2+deb8u7	libjackson2-databind-java_2.4.2-2+deb8u7_all.deb
Debian	9	all	jackson-databind	< 2.8.6-1+deb9u6	jackson-databind_2.8.6-1+deb9u6_all.deb
Debian	9	all	libjackson2-databind-java	< 2.8.6-1+deb9u6	libjackson2-databind-java_2.8.6-1+deb9u6_all.deb