logo
DATABASE RESOURCES PRICING ABOUT US

Security Bulletin: IBM Maximo Asset Management is vulnerable to Multiple Jackson-Databind CVEs - February 2020

Description

## Summary Security Bulletin: IBM Maximo Asset Management is vulnerable to Multiple Jackson-Databind CVEs - February 2020 ## Vulnerability Details **CVEID: **[CVE-2019-17267](<https://vulners.com/cve/CVE-2019-17267>) **DESCRIPTION: **FasterXML jackson-databind could provide weaker than expected security, caused by a polymorphic typing issue in the net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. A remote attacker could exploit this vulnerability to launch further attacks on the system. CVSS Base score: 7.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168514](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168514>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) **CVEID: **[CVE-2019-12814](<https://vulners.com/cve/CVE-2019-12814>) **DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a polymorphic typing issue. By sending a specially-crafted JSON message, an attacker could exploit this vulnerability to read arbitrary local files on the server. CVSS Base score: 7.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/162875](<https://exchange.xforce.ibmcloud.com/vulnerabilities/162875>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) **CVEID: **[CVE-2017-7525](<https://vulners.com/cve/CVE-2017-7525>) **DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a deserialization flaw within the Jackson JSON library in the readValue method of the ObjectMapper. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/134639](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134639>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) **CVEID: **[CVE-2017-17485](<https://vulners.com/cve/CVE-2017-17485>) **DESCRIPTION: **Jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the default-typing feature. An attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/137340](<https://exchange.xforce.ibmcloud.com/vulnerabilities/137340>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) **CVEID: **[CVE-2018-19362](<https://vulners.com/cve/CVE-2018-19362>) **DESCRIPTION: **An unspecified error with failure to block the jboss-common-core class from polymorphic deserialization in FasterXML jackson-databind has an unknown impact and attack vector. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155093](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155093>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) **CVEID: **[CVE-2018-19361](<https://vulners.com/cve/CVE-2018-19361>) **DESCRIPTION: **An unspecified error with failure to block the openjpa class from polymorphic deserialization in FasterXML jackson-databind has an unknown impact and attack vector. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155092](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155092>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) **CVEID: **[CVE-2018-19360](<https://vulners.com/cve/CVE-2018-19360>) **DESCRIPTION: **An unspecified error with failure to block the axis2-transport-jms class from polymorphic deserialization in FasterXML jackson-databind has an unknown impact and attack vector. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155091](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155091>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) **CVEID: **[CVE-2018-14721](<https://vulners.com/cve/CVE-2018-14721>) **DESCRIPTION: **FasterXML jackson-databind is vulnerable to server-side request forgery, caused by the failure to block the axis2-jaxws class from polymorphic deserialization. A remote authenticated attacker could exploit this vulnerability to obtain sensitive data. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155136](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155136>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) **CVEID: **[CVE-2018-7489](<https://vulners.com/cve/CVE-2018-7489>) **DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a deserialization flaw in the readValue method of the ObjectMapper. By sending specially crafted JSON input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 7.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/139549](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139549>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) **CVEID: **[CVE-2018-5968](<https://vulners.com/cve/CVE-2018-5968>) **DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by deserialization flaws. By using two different gadgets that bypass a blocklist, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 7.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/138088](<https://exchange.xforce.ibmcloud.com/vulnerabilities/138088>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) **CVEID: **[CVE-2017-15095](<https://vulners.com/cve/CVE-2017-15095>) **DESCRIPTION: **Jackson Library could allow a remote attacker to execute arbitrary code on the system, caused by a deserialization flaw in the readValue() method of the ObjectMapper. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/135123](<https://exchange.xforce.ibmcloud.com/vulnerabilities/135123>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) **CVEID: **[CVE-2018-12023](<https://vulners.com/cve/CVE-2018-12023>) **DESCRIPTION: **An unspecified vulnerability in multiple Oracle products could allow an unauthenticated attacker to take control of the system. CVSS Base score: 8.1 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/151425](<https://exchange.xforce.ibmcloud.com/vulnerabilities/151425>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) **CVEID: ** [CVE-2019-16335](<https://vulners.com/cve/CVE-2019-16335>) **DESCRIPTION:** A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540. CVSS Base Score: 5.3 CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/167205> for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) ## Affected Products and Versions This vulnerability affects the following versions of the IBM Maximo Asset Management core product. Older versions of Maximo Asset Management may be impacted. The recommended action is to update to the latest version. **Maximo Asset Management core product versions affected:** Affected Product(s) | Version(s) ---|--- IBM Maximo Asset Management | 7.6.0 IBM Maximo Asset Management | 7.6.1 **Industry Solutions products affected if using an affected core version:** Maximo for Aviation Maximo for Life Sciences Maximo for Nuclear Power Maximo for Oil and Gas Maximo for Transportation Maximo for Utilities **IBM Control Desk products affected if using an affected core version:** SmartCloud Control Desk IBM Control Desk Tivoli Integration Composer * To determine the core product version, log in and view System Information. The core product version is the "Tivoli's process automation engine" version. Please consult the [Product Coexistence Matrix](<https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/IBM%20Maximo%20Asset%20Management/page/Product%20compatibility>) for a list of supported product combinations. ## Remediation/Fixes The recommended solution is to download the appropriate Interim Fix or Fix Pack from Fix Central (What is Fix Central?) and apply for each affected product as soon as possible. Please see below for information on the fixes available for each product, version, and release. Follow the installation instructions in the ‘readme’ documentation provided with each fix pack or interim fix. **For Maximo Asset Management 7.6:** VRM | Fix Pack, Feature Pack, or Interim Fix | Download ---|---|--- 7.6.1.2 | Maximo Asset Management 7.6.1.2 Feature Pack: [7.6.1.2-TIV-MAMMT-FP002](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7ETivoli&product=ibm/Tivoli/IBM+Maximo+Asset+Management&release=7.6.1.1&platform=All&function=fixId&fixids=7.6.1.2-TIV-MAMMT-FP002&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp> "7.6.1.2-TIV-MAMMT-FP002" ) or latest Interim Fix available | [FixCentral](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FTivoli%2FIBM+Maximo+Asset+Management&fixids=7.6.1.2-TIV-MAMMT-FP002&source=SARhttps://w3.ibm.com&function=fixId&parent=ibm/Tivoli> "FixCentral" ) ## Workarounds and Mitigations None ##


Affected Software


CPE Name Name Version
ibm maximo workforce assistant solutions saas any
maximo calibration 7.6
maximo asset management scheduler plus 7.6.7.3
maximo asset management scheduler plus 7.6.7.1
maximo asset management scheduler plus 7.6.7
maximo enterprise adapter 7.6.1
maximo enterprise adapter 7.6
ibm maximo asset health insights 7.6.1.1
ibm maximo asset health insights 7.6.1
tivoli integration composer 7.6
maximo for transportation 7.6.2.5
maximo for transportation 7.6.2.4
maximo for transportation 7.6.2.3
maximo for nuclear power 7.6.1
maximo linear asset manager 7.6.0.3
maximo linear asset manager 7.6.0.2
maximo linear asset manager 7.6.0.
ibm maximo asset management 7.6.0
ibm maximo asset management 7.6.1
maximo asset management scheduler 7.6.7.3
maximo asset management scheduler 7.6.7.1
maximo asset management scheduler 7.6.7
ibm maximo network on blockchain 7.6.0.1
ibm maximo network on blockchain 7.6.0.0
ibm maximo for service providers 7.6.3.3
ibm maximo for service providers 7.6.3.2
ibm maximo for service providers 7.6.3.1
maximo for utilities 7.6.0.2
maximo for utilities 7.6.0.1
ibm maximo for aviation 7.6.8
ibm maximo for aviation 7.6.7
ibm maximo for aviation 7.6.6
maximo for oil and gas 7.6.1
maximo asset configuration manager 7.6.7.1
maximo asset configuration manager 7.6.7
maximo asset configuration manager 7.6.6
ibm control desk 7.6.1.1
ibm control desk 7.6.1
maximo spatial asset management 7.6.0.5
maximo spatial asset management 7.6.0.4
maximo spatial asset management 7.6.0.3
maximo spatial asset management 7.6.0.2
maximo for life sciences 7.6

Related