(RHSA-2019:0782) Important: rh-maven35-jackson-databind security update

The jackson-databind package provides general data-binding functionality for Jackson, which works on top of Jackson core streaming API.

Security Fix(es):

• jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis (CVE-2018-11307)

• jackson-databind: improper polymorphic deserialization of types from Jodd-db library (CVE-2018-12022)

• jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver (CVE-2018-12023)

• jackson-databind: arbitrary code execution in slf4j-ext class (CVE-2018-14718)

• jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes (CVE-2018-14719)

• jackson-databind: improper polymorphic deserialization in axis2-transport-jms class (CVE-2018-19360)

• jackson-databind: improper polymorphic deserialization in openjpa class (CVE-2018-19361)

• jackson-databind: improper polymorphic deserialization in jboss-common-core class (CVE-2018-19362)

• jackson-databind: exfiltration/XXE in some JDK classes (CVE-2018-14720)

• jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class (CVE-2018-14721)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.