Lucene search

K
symantecSymantec Security ResponseSMNTC-111525
HistoryJan 14, 2020 - 12:00 a.m.

FasterXML Jackson-databind CVE-2019-14540 Information Disclosure Vulnerability

2020-01-1400:00:00
Symantec Security Response
www.symantec.com
49

Description

FasterXML Jackson-databind is prone to an information-disclosure vulnerability. An attacker can exploit this issue to obtain sensitive information that may aid in further attacks. FasterXML jackson-databind versions prior to 2.9.10 are vulnerable.

Technologies Affected

  • FasterXML jackson-databind 2.0.0
  • FasterXML jackson-databind 2.10
  • FasterXML jackson-databind 2.3
  • FasterXML jackson-databind 2.4
  • FasterXML jackson-databind 2.5
  • FasterXML jackson-databind 2.6
  • FasterXML jackson-databind 2.6.7.1
  • FasterXML jackson-databind 2.6.7.3
  • FasterXML jackson-databind 2.7
  • FasterXML jackson-databind 2.7.9.1
  • FasterXML jackson-databind 2.7.9.3
  • FasterXML jackson-databind 2.7.9.4
  • FasterXML jackson-databind 2.8
  • FasterXML jackson-databind 2.8.10
  • FasterXML jackson-databind 2.8.11
  • FasterXML jackson-databind 2.8.11.1
  • FasterXML jackson-databind 2.8.11.2
  • FasterXML jackson-databind 2.8.7
  • FasterXML jackson-databind 2.8.8
  • FasterXML jackson-databind 2.8.8.1
  • FasterXML jackson-databind 2.8.9
  • FasterXML jackson-databind 2.9.0
  • FasterXML jackson-databind 2.9.1
  • FasterXML jackson-databind 2.9.2
  • FasterXML jackson-databind 2.9.3
  • FasterXML jackson-databind 2.9.4
  • FasterXML jackson-databind 2.9.5
  • FasterXML jackson-databind 2.9.6
  • FasterXML jackson-databind 2.9.7
  • FasterXML jackson-databind 2.9.8
  • FasterXML jackson-databind 2.9.9
  • FasterXML jackson-databind 2.9.9.1
  • FasterXML jackson-databind 2.9.9.2
  • NetApp OnCommand Workflow Automation
  • Oracle Banking Platform 2.4.0
  • Oracle Banking Platform 2.4.1
  • Oracle Banking Platform 2.5.0
  • Oracle Banking Platform 2.6.0
  • Oracle Banking Platform 2.6.1
  • Oracle Banking Platform 2.7.0
  • Oracle Banking Platform 2.7.1
  • Oracle Financial Services Analytical Applications Infrastructure 8.0.2
  • Oracle Financial Services Analytical Applications Infrastructure 8.0.3
  • Oracle Financial Services Analytical Applications Infrastructure 8.0.4
  • Oracle Financial Services Analytical Applications Infrastructure 8.0.5
  • Oracle Financial Services Analytical Applications Infrastructure 8.0.6
  • Oracle Financial Services Analytical Applications Infrastructure 8.0.7
  • Oracle Financial Services Analytical Applications Infrastructure 8.0.8
  • Oracle Primavera Gateway 15.2.18
  • Oracle Primavera Gateway 16.2.11
  • Oracle Primavera Gateway 17.12.6
  • Oracle Primavera Gateway 18.8.8.1
  • Oracle Primavera Unifier 16.1
  • Oracle Primavera Unifier 16.2
  • Oracle Primavera Unifier 17.1
  • Oracle Primavera Unifier 17.12
  • Oracle Primavera Unifier 17.7
  • Oracle Primavera Unifier 18.8
  • Oracle Primavera Unifier 19.12
  • Oracle Retail Xstore Point of Service 15.0
  • Oracle Retail Xstore Point of Service 16.0
  • Oracle Retail Xstore Point of Service 17.0
  • Oracle Retail Xstore Point of Service 18.0
  • Oracle Retail Xstore Point of Service 7.1
  • Redhat Enterprise Linux 8
  • Redhat JBoss Middleware Text-Only Advisories for MIDDLEWARE 1
  • Redhat OpenShift Container Platform 3.10
  • Redhat OpenShift Container Platform 3.11
  • Redhat OpenShift Container Platform 3.9
  • Redhat OpenShift Container Platform 4.1
  • Redhat OpenShift Container Platform 4.2
  • Redhat OpenStack Platform 13.0 (Queens)
  • Redhat OpenStack Platform 14.0 (Rocky)
  • Redhat Software Collections

Recommendations

Block external access at the network boundary, unless external parties require service.
Filter access to the affected computer at the network boundary if global access isn’t needed. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.

Run all software as a nonprivileged user with minimal access rights.
To reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.

Updates are available. Please see the references or vendor advisory for more information.