Security Bulletin: Security vulnerabilities in the jackson-databind routines fixed in IBM Security Access Manager


## Summary Security vulnerabilities were fixed in the IBM Security Access Manager appliance in the jackson-databind utilities. ## Vulnerability Details ** CVEID: **[CVE-2019-14439](<https://vulners.com/cve/CVE-2019-14439>) ** DESCRIPTION: **A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/164744](<https://exchange.xforce.ibmcloud.com/vulnerabilities/164744>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) ** CVEID: **[CVE-2019-14379](<https://vulners.com/cve/CVE-2019-14379>) ** DESCRIPTION: **SubTypeValidator.java in FasterXML jackson-databind before mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165286](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165286>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ## Affected Products and Versions Affected Product(s)| Version(s) ---|--- ISAM| 9.0 ## Remediation/Fixes Product| VRMF| Apar| Remediation/First Fix ---|---|---|--- IBM Security Access Manager Appliance|| IJ22059| [](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=> "" ) For the docker image after authentication to dockerhub.com you can get the image by using the command: docker pull store/ibmcorp/isam: ## Workarounds and Mitigations None ##

Affected Software

CPE Name Name Version
ibm security access manager appliance 9.0.