logo
DATABASE RESOURCES PRICING ABOUT US

Security Bulletin: Security vulnerabilities in the jackson-databind routines fixed in IBM Security Access Manager

Description

## Summary Security vulnerabilities were fixed in the IBM Security Access Manager appliance in the jackson-databind utilities. ## Vulnerability Details ** CVEID: **[CVE-2019-14439](<https://vulners.com/cve/CVE-2019-14439>) ** DESCRIPTION: **A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/164744](<https://exchange.xforce.ibmcloud.com/vulnerabilities/164744>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) ** CVEID: **[CVE-2019-14379](<https://vulners.com/cve/CVE-2019-14379>) ** DESCRIPTION: **SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165286](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165286>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ## Affected Products and Versions Affected Product(s)| Version(s) ---|--- ISAM| 9.0 ## Remediation/Fixes Product| VRMF| Apar| Remediation/First Fix ---|---|---|--- IBM Security Access Manager Appliance| 9.0.7.0| IJ22059| [9.0.7.1-ISS-ISAM-IF0002](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=9.0.7.1&platform=Linux&function=fixId&fixids=9.0.7.1-ISS-ISAM-IF0002&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp> "9.0.7.1-ISS-ISAM-IF0002" ) For the docker image after authentication to dockerhub.com you can get the image by using the command: docker pull store/ibmcorp/isam:9.0.7.1_IF2 ## Workarounds and Mitigations None ##


Affected Software


CPE Name Name Version
ibm security access manager appliance 9.0.

Related