Vulnerability Name: CVE-2018-14718 (CCN-155139) Assigned: 2018-07-27 Published: 2018-07-27 Updated: 2021-05-21 Summary: FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization. CVSS v3 Severity: 9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
9.8 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 8.5 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
CVSS v2 Severity: 7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAuthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): PartialAvailibility (A): Partial
10.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): NoneImpact Metrics: Confidentiality (C): CompleteIntegrity (I): CompleteAvailibility (A): Complete
Vulnerability Type: CWE-502 Vulnerability Consequences: Gain Access References: Source: MITRECVE-2018-14718 Oracle Critical Patch Update Advisory - April 2019 Oracle Critical Patch Update Advisory - January 2019 106601 RHBA-2019:0959 RHSA-2019:0782 RHSA-2019:0877 RHSA-2019:1782 RHSA-2019:1797 RHSA-2019:1822 RHSA-2019:1823 RHSA-2019:2804 RHSA-2019:2858 RHSA-2019:3002 RHSA-2019:3140 RHSA-2019:3149 RHSA-2019:3892 RHSA-2019:4037 fasterxml-cve201814718-code-exec(155139) https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44 Block more classes from polymorphic deserialization (CVE-2018-14718 - CVE-2018-14721) #2097 https://github.com/FasterXML/jackson-databind/issues/2097 https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7 [drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities [lucene-dev] 20190325 [jira] [Assigned] (SOLR-13112) CVE-2018-14718(-14719),sonatype-2017-0312, CVE-2018-14720(-14721) Threat Level 8 Against Solr v7.6. com.fasterxml.jackson.core : jackson-databind : 2.9.6. FasterXML jackson-databind 2.x before 2.9.7 Remote Hackers... [lucene-dev] 20190325 [jira] [Updated] (SOLR-13112) CVE-2018-14718(-14719),sonatype-2017-0312, CVE-2018-14720(-14721) Threat Level 8 Against Solr v7.6. com.fasterxml.jackson.core : jackson-databind : 2.9.6. FasterXML jackson-databind 2.x before 2.9.7 Remote Hackers... [drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities [lucene-dev] 20190325 [jira] [Updated] (SOLR-13112) CVE-2018-14718(-14719),sonatype-2017-0312, CVE-2018-14720(-14721) Threat Level 8 Against Solr v7.6. com.fasterxml.jackson.core : jackson-databind : 2.9.6. FasterXML jackson-databind 2.x before 2.9.7 Remote Hackers... [drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities [druid-commits] 20210324 [GitHub] [druid] jihoonson opened a new pull request #11030: Suppress cves [debian-lts-announce] 20190304 [SECURITY] [DLA 1703-1] jackson-databind security update 20190527 [SECURITY] [DSA 4452-1] jackson-databind security update https://security.netapp.com/advisory/ntap-20190530-0003/ IBM Security Guardium is affected by a jackson-databind vulnerabilities DSA-4452 Multiple Vulnerabilities in Jackson-Databind Affect IBM Global High Availability Mailbox Multiple Security Vulnerabilities in Jackson-databind Affect IBM Sterling B2B Integrator IBM has announced a release for IBM Security Identity Governance and Intelligence in response to security vulnerabilities IBM Security Guardium Insights is affected by Components with known vulnerabilities IBM Data Risk Manager is affected by multiple vulnerabilities Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE) Android Mobile SDK compile builder includes vulnerable components Multiple vulnerabilities in FasterXML jackson-databind affect Apache Solr shipped with IBM Operations Analytics - Log Analysis Vulnerability in jackson-databind affects IBM Process Mining (Multiple CVEs) z/Transaction Processing Facility is affected by multiple vulnerabilities in the jackson-databind, jackson-dataformat-xml, jackson-core, slf4j-ext, and cxf-core packages Multiple vulnerabilities in Data-Binding for Jackson shipped with IBM Operations Analytics - Log Analysis Multiple CVEs affect IBM Integration Designer IBM B2B Advanced Communications is vulnerable to multiple issues due to FasterXML jackson-databind IBM Security Verify Governance is vulnerable to a denial of service caused by multiple vulnerabilities. N/A https://www.oracle.com/security-alerts/cpujan2020.html https://www.oracle.com/security-alerts/cpuoct2020.html https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html Vulnerable Configuration: Configuration 1 :cpe:/a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* (Version >= 2.6.0 and < 2.6.7.2)OR cpe:/a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* (Version >= 2.7.0 and < 2.7.9.5) OR cpe:/a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* (Version >= 2.8.0 and < 2.8.11.3) OR cpe:/a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* (Version >= 2.9.0 and < 2.9.7) Configuration 2 :cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:* OR cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:* Configuration 3 :cpe:/a:oracle:banking_platform:2.5.0:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:* OR cpe:/a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:* OR cpe:/a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_billing_and_revenue_management:7.5:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_billing_and_revenue_management:12.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_instant_messaging_server:10.0.1.3.0:*:*:*:*:*:*:* OR cpe:/a:oracle:enterprise_manager_for_virtualization:13.2.2:*:*:*:*:*:*:* OR cpe:/a:oracle:enterprise_manager_for_virtualization:13.2.3:*:*:*:*:*:*:* OR cpe:/a:oracle:enterprise_manager_for_virtualization:13.3.1:*:*:*:*:*:*:* OR cpe:/a:oracle:financial_services_analytical_applications_infrastructure:8.0.2:*:*:*:*:*:*:* OR cpe:/a:oracle:financial_services_analytical_applications_infrastructure:8.0.3:*:*:*:*:*:*:* OR cpe:/a:oracle:financial_services_analytical_applications_infrastructure:8.0.4:*:*:*:*:*:*:* OR cpe:/a:oracle:financial_services_analytical_applications_infrastructure:8.0.5:*:*:*:*:*:*:* OR cpe:/a:oracle:financial_services_analytical_applications_infrastructure:8.0.6:*:*:*:*:*:*:* OR cpe:/a:oracle:financial_services_analytical_applications_infrastructure:8.0.7:*:*:*:*:*:*:* OR cpe:/a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:* (Version < 11.2.0.3.23) OR cpe:/a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:* (Version >= 12.2.0.1.0 and < 12.2.0.1.19) OR cpe:/a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:* (Version >= 13.9.4.0.0 and < 13.9.4.2.1) OR cpe:/a:oracle:jd_edwards_enterpriseone_orchestrator:9.2:*:*:*:*:*:*:* OR cpe:/a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:* OR cpe:/a:oracle:jdeveloper:12.1.3.0.0:*:*:*:*:*:*:* OR cpe:/a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:* OR cpe:/a:oracle:nosql_database:*:*:*:*:*:*:*:* (Version < 19.3.12) OR cpe:/a:oracle:nosql_database:19.3.12:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_p6_enterprise_project_portfolio_management:15.1:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_p6_enterprise_project_portfolio_management:15.2:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_p6_enterprise_project_portfolio_management:16.1:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:* (Version >= 17.7 and <= 17.12) OR cpe:/a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_unifier:*:*:*:*:*:*:*:* (Version >= 17.7 and <= 17.12) OR cpe:/a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_customer_management_and_segmentation_foundation:17.0:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_merchandising_system:15.0:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_merchandising_system:16.0:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_workforce_management:1.60.9.0.0:*:*:*:*:*:*:* OR cpe:/a:oracle:siebel_engineering_-_installer_&_deployment:*:*:*:*:*:*:*:* (Version <= 19.8) OR cpe:/a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:* (Version <= 19.10) OR cpe:/a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:* Configuration 4 :cpe:/a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:* OR cpe:/a:netapp:snapcenter:-:*:*:*:*:*:*:* OR cpe:/a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:* Configuration 5 :cpe:/a:redhat:openshift_container_platform:3.10:*:*:*:*:*:*:* OR cpe:/a:redhat:openshift_container_platform:*:*:*:*:*:*:*:* (Version >= 3.11 and < 3.11.153) OR cpe:/a:redhat:openshift_container_platform:*:*:*:*:*:*:*:* (Version >= 4.6 and < 4.6.26) Configuration 6 :cpe:/a:redhat:openshift_container_platform:*:*:*:*:*:*:*:* (Version >= 4.1 and < 4.1.18)AND cpe:/o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:* AND cpe:/a:ibm:security_guardium:10.0:*:*:*:*:*:*:* OR cpe:/a:oracle:jdeveloper:12.1.3.0.0:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_billing_and_revenue_management:7.5:*:*:*:*:*:*:* OR cpe:/a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_merchandising_system:16.0:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_platform:2.6:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_unifier:17.12:*:*:*:*:*:*:* OR cpe:/a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:* OR cpe:/a:oracle:enterprise_manager_for_virtualization:13.2.2:*:*:*:*:*:*:* OR cpe:/a:oracle:enterprise_manager_for_virtualization:13.2.3:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_billing_and_revenue_management:12.0:*:*:*:*:*:*:* OR cpe:/a:oracle:financial_services_analytical_applications_infrastructure:8.0.2:*:*:*:*:*:*:* OR cpe:/a:oracle:financial_services_analytical_applications_infrastructure:8.0.3:*:*:*:*:*:*:* OR cpe:/a:oracle:financial_services_analytical_applications_infrastructure:8.0.4:*:*:*:*:*:*:* OR cpe:/a:oracle:financial_services_analytical_applications_infrastructure:8.0.5:*:*:*:*:*:*:* OR cpe:/a:oracle:financial_services_analytical_applications_infrastructure:8.0.6:*:*:*:*:*:*:* OR cpe:/a:oracle:financial_services_analytical_applications_infrastructure:8.0.7:*:*:*:*:*:*:* OR cpe:/a:oracle:enterprise_manager_for_virtualization:13.3.1:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:5.2.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:security_guardium:10.6:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_merchandising_system:15.0:*:*:*:*:*:*:* OR cpe:/a:ibm:data_risk_manager:2.0.6:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.0.3.1:*:*:*:*:*:*:* OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.6:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.5.3:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.6.0:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.1:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.2:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.3:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.4:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.5:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.6:*:*:*:*:*:*:* OR cpe:/a:ibm:security_guardium_insights:2.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:security_guardium_data_encryption:3.0.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.6.1:*:*:*:*:*:*:* OR cpe:/a:ibm:integration_designer:20.0.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:security_verify_governance:10.0:*:*:*:*:*:*:* OR cpe:/a:ibm:multi-enterprise_integration_gateway:1.0.0.1:*:*:*:*:*:*:* Oval Definitions BACK
fasterxml jackson-databind *
fasterxml jackson-databind *
fasterxml jackson-databind *
fasterxml jackson-databind *
debian debian linux 8.0
debian debian linux 9.0
oracle banking platform 2.5.0
oracle banking platform 2.6.0
oracle banking platform 2.6.1
oracle banking platform 2.6.2
oracle business process management suite 12.1.3.0.0
oracle business process management suite 12.2.1.3.0
oracle communications billing and revenue management 7.5
oracle communications billing and revenue management 12.0
oracle communications instant messaging server 10.0.1.3.0
oracle enterprise manager for virtualization 13.2.2
oracle enterprise manager for virtualization 13.2.3
oracle enterprise manager for virtualization 13.3.1
oracle financial services analytical applications infrastructure 8.0.2
oracle financial services analytical applications infrastructure 8.0.3
oracle financial services analytical applications infrastructure 8.0.4
oracle financial services analytical applications infrastructure 8.0.5
oracle financial services analytical applications infrastructure 8.0.6
oracle financial services analytical applications infrastructure 8.0.7
oracle global lifecycle management opatch *
oracle global lifecycle management opatch *
oracle global lifecycle management opatch *
oracle jd edwards enterpriseone orchestrator 9.2
oracle jd edwards enterpriseone tools 9.2
oracle jdeveloper 12.1.3.0.0
oracle jdeveloper 12.2.1.3.0
oracle nosql database *
oracle nosql database 19.3.12
oracle primavera p6 enterprise project portfolio management 15.1
oracle primavera p6 enterprise project portfolio management 15.2
oracle primavera p6 enterprise project portfolio management 16.1
oracle primavera p6 enterprise project portfolio management 16.2
oracle primavera p6 enterprise project portfolio management *
oracle primavera p6 enterprise project portfolio management 18.8
oracle primavera unifier 16.1
oracle primavera unifier 16.2
oracle primavera unifier *
oracle primavera unifier 18.8
oracle retail customer management and segmentation foundation 17.0
oracle retail merchandising system 15.0
oracle retail merchandising system 16.0
oracle retail workforce management software 1.60.9.0.0
oracle siebel engineering - installer & deployment *
oracle siebel ui framework *
oracle webcenter portal 12.2.1.3.0
netapp oncommand workflow automation -
netapp snapcenter -
netapp steelstore cloud integrated storage -
redhat openshift container platform 3.10
redhat openshift container platform *
redhat openshift container platform *
redhat openshift container platform *
redhat enterprise linux 7.0
fasterxml jackson-databind 2.9.6
ibm security guardium 10.0
oracle jdeveloper 12.1.3.0.0
oracle primavera unifier 16.1
oracle primavera unifier 16.2
oracle communications billing and revenue management 7.5
oracle webcenter portal 12.2.1.3.0
oracle retail merchandising system 16.0
oracle banking platform 2.6
oracle primavera unifier 17.12
oracle jdeveloper 12.2.1.3.0
oracle banking platform 2.6.1
oracle banking platform 2.6.2
oracle enterprise manager for virtualization 13.2.2
oracle enterprise manager for virtualization 13.2.3
oracle primavera unifier 18.8
oracle communications billing and revenue management 12.0
oracle financial services analytical applications infrastructure 8.0.2
oracle financial services analytical applications infrastructure 8.0.3
oracle financial services analytical applications infrastructure 8.0.4
oracle financial services analytical applications infrastructure 8.0.5
oracle financial services analytical applications infrastructure 8.0.6
oracle financial services analytical applications infrastructure 8.0.7
oracle enterprise manager for virtualization 13.3.1
ibm sterling b2b integrator 5.2.0.0
ibm security guardium 10.6
oracle retail merchandising system 15.0
ibm data risk manager 2.0.6
ibm sterling b2b integrator 6.0.3.1
ibm security identity governance and intelligence 5.2.6
ibm log analysis 1.3.5.3
ibm log analysis 1.3.6.0
ibm log analysis 1.3.1
ibm log analysis 1.3.2
ibm log analysis 1.3.3
ibm log analysis 1.3.4
ibm log analysis 1.3.5
ibm log analysis 1.3.6
ibm security guardium insights 2.0.1
ibm security guardium data encryption 3.0.0.2
ibm log analysis 1.3.6.1
ibm integration designer 20.0.0.2
ibm security verify governance 10.0
ibm multi-enterprise integration gateway 1.0.0.1
Denotes that component is vulnerable