Lucene search
This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.SUSE_SU-2022-1678-1.NASLHistoryMay 17, 2022 - 12:00 a.m.
SUSE SLED15 / SLES15 Security Update : jackson-databind, jackson-dataformats-binary, jackson-annotations, jackson-bom, jackson-core (SUSE-SU-2022:1678-1)
2022-05-1700:00:00
This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
59
The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:1678-1 advisory.
-
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly.
This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity. (CVE-2020-25649) -
This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception. (CVE-2020-28491)
-
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. (CVE-2020-36518)
Note that Nessus has not tested for these issues but has instead relied only on the applicationâs self-reported version number.
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# SUSE update advisory SUSE-SU-2022:1678-1. The text itself
# is copyright (C) SUSE.
##
include('compat.inc');
if (description)
{
script_id(161231);
script_version("1.8");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/07/13");
script_cve_id("CVE-2020-25649", "CVE-2020-28491", "CVE-2020-36518");
script_xref(name:"SuSE", value:"SUSE-SU-2022:1678-1");
script_xref(name:"CEA-ID", value:"CEA-2021-0025");
script_name(english:"SUSE SLED15 / SLES15 Security Update : jackson-databind, jackson-dataformats-binary, jackson-annotations, jackson-bom, jackson-core (SUSE-SU-2022:1678-1)");
script_set_attribute(attribute:"synopsis", value:
"The remote SUSE host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 host has packages installed that are affected by
multiple vulnerabilities as referenced in the SUSE-SU-2022:1678-1 advisory.
- A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly.
This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this
vulnerability is data integrity. (CVE-2020-25649)
- This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before
2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a
java.lang.OutOfMemoryError exception. (CVE-2020-28491)
- jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large
depth of nested objects. (CVE-2020-36518)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1177616");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1182481");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1197132");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2020-25649");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2020-28491");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2020-36518");
# https://lists.suse.com/pipermail/sle-security-updates/2022-May/011022.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?98770776");
script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-25649");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/12/03");
script_set_attribute(attribute:"patch_publication_date", value:"2022/05/16");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/05/17");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:jackson-annotations");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:jackson-annotations-javadoc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:jackson-core");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:jackson-core-javadoc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:jackson-databind");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:jackson-databind-javadoc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:jackson-dataformat-cbor");
script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:15");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"SuSE Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
exit(0);
}
include('rpm.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item("Host/SuSE/release");
if (isnull(os_release) || os_release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
var os_ver = pregmatch(pattern: "^(SLE(S|D)(?:_SAP)?\d+)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');
os_ver = os_ver[1];
if (! preg(pattern:"^(SLED15|SLED_SAP15|SLES15|SLES_SAP15)$", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15', 'SUSE (' + os_ver + ')');
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE (' + os_ver + ')', cpu);
var service_pack = get_kb_item("Host/SuSE/patchlevel");
if (isnull(service_pack)) service_pack = "0";
if (os_ver == "SLED15" && (! preg(pattern:"^(3|4)$", string:service_pack))) audit(AUDIT_OS_NOT, "SLED15 SP3/4", os_ver + " SP" + service_pack);
if (os_ver == "SLED_SAP15" && (! preg(pattern:"^(3|4)$", string:service_pack))) audit(AUDIT_OS_NOT, "SLED_SAP15 SP3/4", os_ver + " SP" + service_pack);
if (os_ver == "SLES15" && (! preg(pattern:"^(2|3|4)$", string:service_pack))) audit(AUDIT_OS_NOT, "SLES15 SP2/3/4", os_ver + " SP" + service_pack);
if (os_ver == "SLES_SAP15" && (! preg(pattern:"^(2|3|4)$", string:service_pack))) audit(AUDIT_OS_NOT, "SLES_SAP15 SP2/3/4", os_ver + " SP" + service_pack);
var pkgs = [
{'reference':'jackson-annotations-2.13.0-150200.3.6.1', 'sp':'2', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.2']},
{'reference':'jackson-core-2.13.0-150200.3.6.1', 'sp':'2', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.2']},
{'reference':'jackson-databind-2.13.0-150200.3.9.1', 'sp':'2', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.2']},
{'reference':'jackson-dataformat-cbor-2.13.0-150200.3.3.3', 'sp':'2', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.2']},
{'reference':'jackson-annotations-2.13.0-150200.3.6.1', 'sp':'3', 'release':'SLED_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.3']},
{'reference':'jackson-annotations-2.13.0-150200.3.6.1', 'sp':'3', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.3']},
{'reference':'jackson-annotations-javadoc-2.13.0-150200.3.6.1', 'sp':'3', 'release':'SLED_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.3']},
{'reference':'jackson-annotations-javadoc-2.13.0-150200.3.6.1', 'sp':'3', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.3']},
{'reference':'jackson-core-2.13.0-150200.3.6.1', 'sp':'3', 'release':'SLED_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.3']},
{'reference':'jackson-core-2.13.0-150200.3.6.1', 'sp':'3', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.3']},
{'reference':'jackson-core-javadoc-2.13.0-150200.3.6.1', 'sp':'3', 'release':'SLED_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.3']},
{'reference':'jackson-core-javadoc-2.13.0-150200.3.6.1', 'sp':'3', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.3']},
{'reference':'jackson-databind-2.13.0-150200.3.9.1', 'sp':'3', 'release':'SLED_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.3']},
{'reference':'jackson-databind-2.13.0-150200.3.9.1', 'sp':'3', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.3']},
{'reference':'jackson-databind-javadoc-2.13.0-150200.3.9.1', 'sp':'3', 'release':'SLED_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.3']},
{'reference':'jackson-databind-javadoc-2.13.0-150200.3.9.1', 'sp':'3', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.3']},
{'reference':'jackson-dataformat-cbor-2.13.0-150200.3.3.3', 'sp':'3', 'release':'SLED_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.3']},
{'reference':'jackson-dataformat-cbor-2.13.0-150200.3.3.3', 'sp':'3', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.3']},
{'reference':'jackson-annotations-2.13.0-150200.3.6.1', 'sp':'4', 'release':'SLED_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.4']},
{'reference':'jackson-annotations-2.13.0-150200.3.6.1', 'sp':'4', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.4']},
{'reference':'jackson-core-2.13.0-150200.3.6.1', 'sp':'4', 'release':'SLED_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.4']},
{'reference':'jackson-core-2.13.0-150200.3.6.1', 'sp':'4', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.4']},
{'reference':'jackson-databind-2.13.0-150200.3.9.1', 'sp':'4', 'release':'SLED_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.4']},
{'reference':'jackson-databind-2.13.0-150200.3.9.1', 'sp':'4', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.4']},
{'reference':'jackson-dataformat-cbor-2.13.0-150200.3.3.3', 'sp':'4', 'release':'SLED_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.4']},
{'reference':'jackson-dataformat-cbor-2.13.0-150200.3.3.3', 'sp':'4', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.4']},
{'reference':'jackson-annotations-2.13.0-150200.3.6.1', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-2', 'SLE_RT-release-15.2', 'sles-release-15.2']},
{'reference':'jackson-core-2.13.0-150200.3.6.1', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-2', 'SLE_RT-release-15.2', 'sles-release-15.2']},
{'reference':'jackson-databind-2.13.0-150200.3.9.1', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-2', 'SLE_RT-release-15.2', 'sles-release-15.2']},
{'reference':'jackson-dataformat-cbor-2.13.0-150200.3.3.3', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-2', 'SLE_RT-release-15.2', 'sles-release-15.2']},
{'reference':'jackson-annotations-2.13.0-150200.3.6.1', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.2', 'sles-ltss-release-15.2']},
{'reference':'jackson-core-2.13.0-150200.3.6.1', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.2', 'sles-ltss-release-15.2']},
{'reference':'jackson-databind-2.13.0-150200.3.9.1', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.2', 'sles-ltss-release-15.2']},
{'reference':'jackson-dataformat-cbor-2.13.0-150200.3.3.3', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.2', 'sles-ltss-release-15.2']},
{'reference':'jackson-annotations-2.13.0-150200.3.6.1', 'sp':'3', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.3', 'sle-module-basesystem-release-15.3', 'sle-module-development-tools-release-15.3', 'sled-release-15.3', 'sles-release-15.3']},
{'reference':'jackson-annotations-2.13.0-150200.3.6.1', 'sp':'3', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.3', 'sle-module-basesystem-release-15.3', 'sle-module-development-tools-release-15.3', 'sled-release-15.3', 'sles-release-15.3']},
{'reference':'jackson-annotations-javadoc-2.13.0-150200.3.6.1', 'sp':'3', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.3', 'sle-module-basesystem-release-15.3', 'sled-release-15.3', 'sles-release-15.3']},
{'reference':'jackson-annotations-javadoc-2.13.0-150200.3.6.1', 'sp':'3', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.3', 'sle-module-basesystem-release-15.3', 'sled-release-15.3', 'sles-release-15.3']},
{'reference':'jackson-core-2.13.0-150200.3.6.1', 'sp':'3', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.3', 'sle-module-basesystem-release-15.3', 'sle-module-development-tools-release-15.3', 'sled-release-15.3', 'sles-release-15.3']},
{'reference':'jackson-core-2.13.0-150200.3.6.1', 'sp':'3', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.3', 'sle-module-basesystem-release-15.3', 'sle-module-development-tools-release-15.3', 'sled-release-15.3', 'sles-release-15.3']},
{'reference':'jackson-core-javadoc-2.13.0-150200.3.6.1', 'sp':'3', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.3', 'sle-module-basesystem-release-15.3', 'sled-release-15.3', 'sles-release-15.3']},
{'reference':'jackson-core-javadoc-2.13.0-150200.3.6.1', 'sp':'3', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.3', 'sle-module-basesystem-release-15.3', 'sled-release-15.3', 'sles-release-15.3']},
{'reference':'jackson-databind-2.13.0-150200.3.9.1', 'sp':'3', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.3', 'sle-module-basesystem-release-15.3', 'sle-module-development-tools-release-15.3', 'sled-release-15.3', 'sles-release-15.3']},
{'reference':'jackson-databind-2.13.0-150200.3.9.1', 'sp':'3', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.3', 'sle-module-basesystem-release-15.3', 'sle-module-development-tools-release-15.3', 'sled-release-15.3', 'sles-release-15.3']},
{'reference':'jackson-databind-javadoc-2.13.0-150200.3.9.1', 'sp':'3', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.3', 'sle-module-basesystem-release-15.3', 'sled-release-15.3', 'sles-release-15.3']},
{'reference':'jackson-databind-javadoc-2.13.0-150200.3.9.1', 'sp':'3', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.3', 'sle-module-basesystem-release-15.3', 'sled-release-15.3', 'sles-release-15.3']},
{'reference':'jackson-dataformat-cbor-2.13.0-150200.3.3.3', 'sp':'3', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.3', 'sle-module-development-tools-release-15.3', 'sled-release-15.3', 'sles-release-15.3']},
{'reference':'jackson-dataformat-cbor-2.13.0-150200.3.3.3', 'sp':'3', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.3', 'sle-module-development-tools-release-15.3', 'sled-release-15.3', 'sles-release-15.3']},
{'reference':'jackson-annotations-2.13.0-150200.3.6.1', 'sp':'4', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.4', 'sle-module-basesystem-release-15.4', 'sled-release-15.4', 'sles-release-15.4']},
{'reference':'jackson-annotations-2.13.0-150200.3.6.1', 'sp':'4', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.4', 'sle-module-basesystem-release-15.4', 'sled-release-15.4', 'sles-release-15.4']},
{'reference':'jackson-core-2.13.0-150200.3.6.1', 'sp':'4', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.4', 'sle-module-basesystem-release-15.4', 'sled-release-15.4', 'sles-release-15.4']},
{'reference':'jackson-core-2.13.0-150200.3.6.1', 'sp':'4', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.4', 'sle-module-basesystem-release-15.4', 'sled-release-15.4', 'sles-release-15.4']},
{'reference':'jackson-databind-2.13.0-150200.3.9.1', 'sp':'4', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.4', 'sle-module-basesystem-release-15.4', 'sled-release-15.4', 'sles-release-15.4']},
{'reference':'jackson-databind-2.13.0-150200.3.9.1', 'sp':'4', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.4', 'sle-module-basesystem-release-15.4', 'sled-release-15.4', 'sles-release-15.4']},
{'reference':'jackson-dataformat-cbor-2.13.0-150200.3.3.3', 'sp':'4', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.4', 'sle-module-development-tools-release-15.4', 'sled-release-15.4', 'sles-release-15.4']},
{'reference':'jackson-dataformat-cbor-2.13.0-150200.3.3.3', 'sp':'4', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.4', 'sle-module-development-tools-release-15.4', 'sled-release-15.4', 'sles-release-15.4']}
];
var ltss_caveat_required = FALSE;
var flag = 0;
foreach var package_array ( pkgs ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var exists_check = NULL;
var rpm_spec_vers_cmp = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) _release = package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (reference && _release) {
if (exists_check) {
var check_flag = 0;
foreach var check (exists_check) {
if (!rpm_exists(release:_release, rpm:check)) continue;
if ('ltss' >< tolower(check)) ltss_caveat_required = TRUE;
check_flag++;
}
if (!check_flag) continue;
}
if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;
}
}
if (flag)
{
var ltss_plugin_caveat = NULL;
if(ltss_caveat_required) ltss_plugin_caveat = '\n' +
'NOTE: This vulnerability check contains fixes that apply to\n' +
'packages only available in SUSE Enterprise Linux Server LTSS\n' +
'repositories. Access to these package security updates require\n' +
'a paid SUSE LTSS subscription.\n';
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get() + ltss_plugin_caveat
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'jackson-annotations / jackson-annotations-javadoc / jackson-core / etc');
}
| Vendor | Product | Version | CPE |
|---|---|---|---|
| novell | suse_linux | jackson-annotations | p-cpe:/a:novell:suse_linux:jackson-annotations |
| novell | suse_linux | jackson-annotations-javadoc | p-cpe:/a:novell:suse_linux:jackson-annotations-javadoc |
| novell | suse_linux | jackson-core | p-cpe:/a:novell:suse_linux:jackson-core |
| novell | suse_linux | jackson-core-javadoc | p-cpe:/a:novell:suse_linux:jackson-core-javadoc |
| novell | suse_linux | jackson-databind | p-cpe:/a:novell:suse_linux:jackson-databind |
| novell | suse_linux | jackson-databind-javadoc | p-cpe:/a:novell:suse_linux:jackson-databind-javadoc |
| novell | suse_linux | jackson-dataformat-cbor | p-cpe:/a:novell:suse_linux:jackson-dataformat-cbor |
| novell | suse_linux | 15 | cpe:/o:novell:suse_linux:15 |
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25649
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28491
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36518
www.nessus.org/u?98770776
bugzilla.suse.com/1177616
bugzilla.suse.com/1182481
bugzilla.suse.com/1197132
www.suse.com/security/cve/CVE-2020-25649
www.suse.com/security/cve/CVE-2020-28491
www.suse.com/security/cve/CVE-2020-36518
Related
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2022:1678-1)
2022-05-17 00:00:00
openSUSE: Security Advisory for jackson-databind, (SUSE-SU-2022:1678-1)
2022-05-17 00:00:00
Fedora: Security Advisory for jackson-databind (FEDORA-2021-1d8254899c)
2021-02-10 00:00:00
suse
suse
ibm
ibm
Security Bulletin: IBM Security Verify Governance is vulnerable to a denial of service caused by a Java StackOverflow exception(CVE-2020-36518),CVE-2020-25649,
2023-04-05 11:57:04
veracode
veracode
Denial Of Service (DoS)
2021-02-19 01:15:41
XML External Entity (XXE)
2020-10-15 05:10:32
Denial Of Service (DoS)
2022-03-14 09:02:56
redhat
redhat
prion
prion
github
github
Denial of Service (DoS) in Jackson Dataformat CBOR
2021-12-09 19:17:21
XML External Entity (XXE) Injection in Jackson Databind
2021-02-18 20:51:54
Deeply nested json in jackson-databind
2022-03-12 00:00:36
cve
cve
osv
osv
Denial of Service (DoS) in Jackson Dataformat CBOR
2021-12-09 19:17:21
XML External Entity (XXE) Injection in Jackson Databind
2021-02-18 20:51:54
jackson-databind - security update
2020-10-14 00:00:00
redhatcve
redhatcve
nessus
nessus
Debian DLA-2406-1 : jackson-databind security update
2020-10-15 00:00:00
RHEL 7 : rh-maven35-jackson-databind (RHSA-2020:4312)
2023-01-23 00:00:00
Oracle Primavera P6 Enterprise Project Portfolio Management (Jul 2022 CPU)
2022-10-05 00:00:00
debiancve
debiancve
ubuntucve
ubuntucve
atlassian
atlassian
XXE (XML External Entity Injection) jackson-databind in Jira Software Data Center and Server
2023-12-07 21:45:20
Bump jackson-databind dependency to 2.13.4.2
2023-01-12 09:57:47
jackson-databind Vulnerability in Bamboo Data Center and Server
2023-10-06 17:44:47
debian
debian
[SECURITY] [DLA 2406-1] jackson-databind security update
2020-10-14 10:31:09
[SECURITY] [DLA 2990-1] jackson-databind security update
2022-05-02 18:33:27
[SECURITY] [DLA 3207-1] jackson-databind security update
2022-11-27 18:53:52
fedora
fedora
[SECURITY] Fedora 32 Update: jackson-databind-2.10.5.1-1.fc32
2021-02-10 01:30:26
freebsd
freebsd
kafka -- Denial Of Service vulnerability
2022-03-11 00:00:00
oraclelinux
oraclelinux
jackson security update
2023-05-15 00:00:00
almalinux
almalinux
Moderate: jackson security update
2023-05-09 00:00:00
mageia
mageia
Updated jackson-databind packages fix security vulnerabilities
2024-03-16 19:28:17
threatpost
threatpost
IBM Squashes Critical Remote Code-Execution Flaw
2021-02-23 19:36:32
Related for SUSE_SU-2022-1678-1.NASL