Lucene search

K
ibmIBM30C160035BB3D7D8CCEFC976E9A66E721135E92A5F2BC6D96A0922DAD970B145
HistoryJan 30, 2020 - 3:59 p.m.

Security Bulletin: Security vulnerabilities in the jackson-databind routines fixed in IBM Security Access Manager

2020-01-3015:59:51
www.ibm.com
18

0.006 Low

EPSS

Percentile

79.1%

Summary

Security vulnerabilities were fixed in the IBM Security Access Manager appliance in the jackson-databind utilities.

Vulnerability Details

CVEID:CVE-2019-14439
**DESCRIPTION:**A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/164744 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2019-14379
**DESCRIPTION:**SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/165286 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
ISAM 9.0

Remediation/Fixes

Product VRMF Apar Remediation/First Fix
IBM Security Access Manager Appliance 9.0.7.0 IJ22059 9.0.7.1-ISS-ISAM-IF0002

For the docker image after authentication to dockerhub.com you can get the image by using the command: docker pull store/ibmcorp/isam:9.0.7.1_IF2

Workarounds and Mitigations

None