Lucene search

K
ibmIBM74ECBB84CE8413AF6DA93062925AAA87DD5232E1319904ACEC3D5A509E59A9F3
HistoryOct 01, 2019 - 4:24 p.m.

Security Bulletin: Vulnerabilities in FasterXML Jackson libraries affect IBM Cúram Social Program Management (CVE-2019-14439, CVE-2019-14379, CVE-2019-12814, CVE-2019-12086)

2019-10-0116:24:26
www.ibm.com
13

EPSS

0.015

Percentile

87.2%

Summary

IBM Cúram Social Program Management uses the FasterXML Jackson libraries, for which there are four publicly known vulnerabilities. Three of the vulnerabilities, which are caused by various polymorphic typing issues, could enable a remote attacker to obtain sensitive information. The fourth vulnerability, which is caused by a flaw in the SubTypeValidator.java, could enable a remote attacker to execute arbitrary code on the system.

Vulnerability Details

CVE-ID: CVE-2019-14439
Description: FasterXML jackson-databind could enable a remote attacker to obtain sensitive information, where the vulnerability is caused by a polymorphic typing issue when Default Typing is enabled. A remote attacker could exploit the vulnerability to obtain sensitive information.
CVSS Base Score: 5.3
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/164744&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVE-ID: CVE-2019-14379
Description: FasterXML jackson-databind could enable a remote attacker to execute arbitrary code on the system, where the vulnerability is caused by a flaw in the SubTypeValidator.java. An attacker could exploit the vulnerability to execute arbitrary code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/165286&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVE-ID: CVE-2019-12814

Description: FasterXML jackson-databind could enable a remote attacker to obtain sensitive information, where the vulnerability is caused by a polymorphic typing issue. By sending a specially-crafted JSON message, an attacker could exploit the vulnerability to read arbitrary local files on the server.
CVSS Base Score: 7.5
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/162875&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVE-ID: CVE-2019-12086
Description: FasterXML jackson-databind could enable a remote attacker to obtain sensitive information, where the vulnerability is caused by a Polymorphic Typing issue that occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation. By sending a specially-crafted JSON message, a remote attacker could exploit the vulnerability to read arbitrary local files on the server.
CVSS Base Score: 5.3
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/161256&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

IBM Cúram Social Program Management 7.0.5.0 - 7.0.7.0

IBM Cúram Social Program Management 7.0.0.0 - 7.0.4.3

Remediation/Fixes

Product VRMF Remediation/First Fix
Cúram SPM

7.0.8

| Visit IBM Fix Central and upgrade to 7.0.8 or a subsequent 7.0.8 release.
Cúram SPM |

7.0.4

| Visit IBM Fix Central and upgrade to 7.0.4.4 or a subsequent 7.0.4 release.

Workarounds and Mitigations

For information about all other versions, contact IBM Cúram Social Program Management customer support.