IBM Event Streams has addressed the following vulnerabilities in the jackson-databind versions shipped.
CVEID: CVE-2019-12814 DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a polymorphic typing issue. By sending a specially-crafted JSON message, an attacker could exploit this vulnerability to read arbitrary local files on the server.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/162875> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2019-14439 DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a polymorphic typing issue when Default Typing is enabled. A remote attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/164744> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2019-14540 DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a polymorphic typing issue in com.zaxxer.hikari.HikariConfig. A remote attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/167354> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2019-16335 DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a polymorphic typing issue in com.zaxxer.hikari.HikariDataSource. A remote attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/167205> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
IBM Event Streams 2019.2.1 or earlier
โต
Upgrade to IBM Event Streams 2019.4.1 which is available from Passport Advantage.