Vulnerability Name: CVE-2018-19361 (CCN-155092) Assigned: 2018-11-18 Published: 2018-11-18 Updated: 2020-08-31 Summary: FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization. CVSS v3 Severity: 9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H )8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C )Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N )4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C )Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): LowAvailibility (A): None
CVSS v2 Severity: 7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P )Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAuthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): PartialAvailibility (A): Partial
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N )Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): PartialAvailibility (A): None
Vulnerability Type: CWE-502 Vulnerability Consequences: Unknown References: Source: MITRE Type: CNACVE-2018-19361 Source: CCN Type: IBM Security Bulletin 871810 (COS SDK Java)Multiple vulnerabilities affect IBM Cloud Object Storage SDK Java (Feb 2019) Source: BID Type: Third Party Advisory, VDB Entry107985 Source: REDHAT Type: Third Party AdvisoryRHBA-2019:0959 Source: REDHAT Type: Third Party AdvisoryRHSA-2019:0782 Source: REDHAT Type: Third Party AdvisoryRHSA-2019:0877 Source: REDHAT Type: Third Party AdvisoryRHSA-2019:1782 Source: REDHAT Type: Third Party AdvisoryRHSA-2019:1797 Source: REDHAT Type: Third Party AdvisoryRHSA-2019:1822 Source: REDHAT Type: Third Party AdvisoryRHSA-2019:1823 Source: REDHAT Type: UNKNOWNRHSA-2019:2804 Source: REDHAT Type: UNKNOWNRHSA-2019:2858 Source: REDHAT Type: UNKNOWNRHSA-2019:3002 Source: REDHAT Type: UNKNOWNRHSA-2019:3140 Source: REDHAT Type: UNKNOWNRHSA-2019:3149 Source: REDHAT Type: UNKNOWNRHSA-2019:3892 Source: REDHAT Type: UNKNOWNRHSA-2019:4037 Source: XF Type: UNKNOWNfasterxml-cve201819361-unspecified(155092) Source: CONFIRM Type: Patch, Third Party Advisoryhttps://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b Source: CCN Type: jackson-databind GIT RepositoryBlock more classes from polymorphic deserialization (CVE-2018-19360, CVE-2018-19361, CVE-2018-19362) #2186 Source: CONFIRM Type: Issue Tracking, Patch, Third Party Advisoryhttps://github.com/FasterXML/jackson-databind/issues/2186 Source: CONFIRM Type: Patch, Release Notes, Third Party Advisoryhttps://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8 Source: CONFIRM Type: Issue Tracking, Third Party Advisoryhttps://issues.apache.org/jira/browse/TINKERPOP-2121 Source: MLIST Type: Mailing List, Patch, Third Party Advisory[infra-devnull] 20190329 [GitHub] [pulsar] massakam opened pull request #3938: Upgrade third party libraries with security vulnerabilities Source: MLIST Type: UNKNOWN[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities Source: MLIST Type: UNKNOWN[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities Source: MLIST Type: UNKNOWN[nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.html Source: MLIST Type: Mailing List, Patch, Third Party Advisory[pulsar-commits] 20190329 [GitHub] [pulsar] massakam opened a new pull request #3938: Upgrade third party libraries with security vulnerabilities Source: MLIST Type: UNKNOWN[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities Source: MLIST Type: Third Party Advisory[pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1 Source: MLIST Type: UNKNOWN[bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image Source: MLIST Type: UNKNOWN[nifi-commits] 20200123 svn commit: r1873083 - /nifi/site/trunk/security.html Source: MLIST Type: UNKNOWN[geode-issues] 20200831 [jira] [Created] (GEODE-8471) Dependency security issues in geode-core-1.12 Source: MLIST Type: Mailing List, Third Party Advisory[debian-lts-announce] 20190304 [SECURITY] [DLA 1703-1] jackson-databind security update Source: BUGTRAQ Type: Mailing List, Third Party Advisory20190527 [SECURITY] [DSA 4452-1] jackson-databind security update Source: CONFIRM Type: Third Party Advisoryhttps://security.netapp.com/advisory/ntap-20190530-0003/ Source: CCN Type: IBM Security Bulletin 885602 (PureApplication System)Multiple vulnerabilities affect IBM PureApplication System Source: DEBIAN Type: Third Party AdvisoryDSA-4452 Source: CCN Type: IBM Security Bulletin 874334 (Tivoli Netcool/OMNIbus)Multiple vulnerabilities have been identified in FasterXML Jackson library shipped with IBM Tivoli Netcool/OMNIbus Common Integration Libraries (CVE-2018-19360, CVE-2018-19361, CVE-2018-19362, CVE-2018-1000873) Source: CCN Type: IBM Security Bulletin 876544 (Event Streams)IBM Event Streams is affected by jackson-databind vulnerabilities Source: CCN Type: IBM Security Bulletin 2867997 (Rational Rhapsody Design Manager)Security vulnerabilities affect multiple IBM Rational products based on IBM Jazz technology Source: CCN Type: IBM Security Bulletin 6209691 (Sterling B2B Integrator)Multiple Security Vulnerabilities in Jackson-databind Affect IBM Sterling B2B Integrator Source: CCN Type: IBM Security Bulletin 6217807 (Security Identity Governance and Intelligence)IBM has announced a release for IBM Security Identity Governance and Intelligence in response to security vulnerabilities Source: CCN Type: IBM Security Bulletin 6244628 (Rational Publishing Engine)Third party vulnerable library Jackson-Databind affects IBM Engineering Lifecycle Optimization - Publishing Source: CCN Type: IBM Security Bulletin 6320835 (Security Guardium Data Encryption)Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE) Source: CCN Type: IBM Security Bulletin 6324739 (Security Guardium Insights)IBM Security Guardium Insights is affected by Components with known vulnerabilities Source: CCN Type: IBM Security Bulletin 6340251 (Maximo Asset Management)IBM Maximo Asset Management is vulnerable to Multiple Jackson-Databind CVEs - February 2020 Source: CCN Type: IBM Security Bulletin 6403331 (Security Guardium Data Encryption)Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE) Source: CCN Type: IBM Security Bulletin 6410462 (Security Trusteer Mobile SDK)Android Mobile SDK compile builder includes vulnerable components Source: CCN Type: IBM Security Bulletin 6444089 (Log Analysis)Multiple vulnerabilities in FasterXML jackson-databind affect Apache Solr shipped with IBM Operations Analytics - Log Analysis Source: CCN Type: IBM Security Bulletin 6593435 (Process Mining)Vulnerability in jackson-databind affects IBM Process Mining (Multiple CVEs) Source: CCN Type: IBM Security Bulletin 6828455 (z/Transaction Processing Facility)z/Transaction Processing Facility is affected by multiple vulnerabilities in the jackson-databind, jackson-dataformat-xml, jackson-core, slf4j-ext, and cxf-core packages Source: CCN Type: IBM Security Bulletin 6840955 (Log Analysis)Multiple vulnerabilities in Data-Binding for Jackson shipped with IBM Operations Analytics - Log Analysis Source: CCN Type: IBM Security Bulletin 6853637 (Sterling B2B Integrator)B2B API of IBM Sterling B2B Integrator is vulnerable to multiple issues due to FasterXML jackson-databind Source: CCN Type: IBM Security Bulletin 6910171 (Integration Designer)Multiple CVEs affect IBM Integration Designer Source: CCN Type: IBM Security Bulletin 6983482 (Security Verify Governance)IBM Security Verify Governance is vulnerable to a denial of service caused by multiple vulnerabilities. Source: N/A Type: UNKNOWNN/A Source: MISC Type: Patch, Third Party Advisoryhttps://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html Source: MISC Type: Patch, Third Party Advisoryhttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html Source: MISC Type: UNKNOWNhttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html Vulnerable Configuration: Configuration 1 :cpe:/a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* (Version >= 2.6.0 and <= 2.6.7.2)OR cpe:/a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* (Version >= 2.7.0 and < 2.7.9.5) OR cpe:/a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* (Version >= 2.8.0 and < 2.8.11.3) OR cpe:/a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* (Version >= 2.9.0 and < 2.9.8) Configuration 2 :cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:* OR cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:* Configuration 3 :cpe:/a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:* OR cpe:/a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_p6_enterprise_project_portfolio_management:15.1:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_p6_enterprise_project_portfolio_management:15.2:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_p6_enterprise_project_portfolio_management:16.1:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:* (Version >= 17.7 and <= 17.12) OR cpe:/a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_unifier:*:*:*:*:*:*:*:* (Version >= 17.7 and <= 17.12) OR cpe:/a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_workforce_management:1.60.9.0.0:*:*:*:*:*:*:* OR cpe:/a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:* Configuration 4 :cpe:/a:redhat:automation_manager:7.3.1:*:*:*:*:*:*:* OR cpe:/a:redhat:decision_manager:7.3.1:*:*:*:*:*:*:* OR cpe:/a:redhat:jboss_bpm_suite:6.4.11:*:*:*:*:*:*:* OR cpe:/a:redhat:jboss_brms:6.4.10:*:*:*:*:*:*:* OR cpe:/a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:fasterxml:jackson-databind:2.9.7:*:*:*:*:*:*:* OR cpe:/a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:* OR cpe:/a:fasterxml:jackson-databind:2.3:*:*:*:*:*:*:* OR cpe:/a:fasterxml:jackson-databind:2.4:*:*:*:*:*:*:* OR cpe:/a:fasterxml:jackson-databind:2.5:*:*:*:*:*:*:* OR cpe:/a:fasterxml:jackson-databind:2.6:*:*:*:*:*:*:* OR cpe:/a:fasterxml:jackson-databind:2.7:*:*:*:*:*:*:* OR cpe:/a:fasterxml:jackson-databind:2.8:*:*:*:*:*:*:* OR cpe:/a:fasterxml:jackson-databind:2.9:*:*:*:*:*:*:* OR cpe:/a:fasterxml:jackson-databind:2.9.1:*:*:*:*:*:*:* OR cpe:/a:fasterxml:jackson-databind:2.9.2:*:*:*:*:*:*:* OR cpe:/a:fasterxml:jackson-databind:2.9.3:*:*:*:*:*:*:* OR cpe:/a:fasterxml:jackson-databind:2.9.4:*:*:*:*:*:*:* OR cpe:/a:fasterxml:jackson-databind:2.9.5:*:*:*:*:*:*:* AND cpe:/a:ibm:tivoli_netcool/omnibus:8.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:maximo_asset_management:7.6.0:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_rhapsody_design_manager:6.0:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_rhapsody_design_manager:6.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_rhapsody_design_manager:6.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_rhapsody_design_manager:6.0.3:*:*:*:*:*:*:* OR cpe:/a:ibm:pureapplication_system:2.2.3.0:*:*:*:*:*:*:* OR cpe:/a:ibm:pureapplication_system:2.2.3.1:*:*:*:*:*:*:* OR cpe:/a:ibm:pureapplication_system:2.2.3.2:*:*:*:*:*:*:* OR cpe:/a:ibm:pureapplication_system:2.2.4.0:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_rhapsody_design_manager:6.0.4:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_rhapsody_design_manager:6.0.5:*:*:*:*:*:*:* OR cpe:/a:ibm:pureapplication_system:2.2.5.0:*:*:*:*:*:*:* OR cpe:/a:ibm:pureapplication_system:2.2.5.1:*:*:*:*:*:*:* OR cpe:/a:ibm:maximo_asset_management:7.6.1:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_rhapsody_design_manager:6.0.6:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_publishing_engine:6.0.6:*:*:*:*:*:*:* OR cpe:/a:ibm:pureapplication_system:2.2.5.2:*:*:*:*:*:*:* OR cpe:/a:ibm:event_streams:2018.3.0:*:*:*:*:*:*:* OR cpe:/a:ibm:pureapplication_system:2.2.5.3:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.0.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:5.2.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:event_streams:2018.3.1:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_rhapsody_design_manager:6.0.6.1:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.0.3.1:*:*:*:*:*:*:* OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.6:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.5.3:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.6.0:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.1:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.2:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.3:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.4:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.5:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.6:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_publishing_engine:7.0:*:*:*:*:*:*:* OR cpe:/a:ibm:security_guardium_insights:2.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:security_guardium_data_encryption:3.0.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.6.1:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.1.0.0:*:*:*:standard:*:*:* OR cpe:/a:ibm:integration_designer:20.0.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.1.1.0:*:*:*:standard:*:*:* OR cpe:/a:ibm:security_verify_governance:10.0:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.1.2.0:*:*:*:standard:*:*:* Denotes that component is vulnerable Oval Definitions BACK
fasterxml jackson-databind *
fasterxml jackson-databind *
fasterxml jackson-databind *
fasterxml jackson-databind *
debian debian linux 8.0
debian debian linux 9.0
oracle business process management suite 12.1.3.0.0
oracle business process management suite 12.2.1.3.0
oracle primavera p6 enterprise project portfolio management 15.1
oracle primavera p6 enterprise project portfolio management 15.2
oracle primavera p6 enterprise project portfolio management 16.1
oracle primavera p6 enterprise project portfolio management 16.2
oracle primavera p6 enterprise project portfolio management *
oracle primavera p6 enterprise project portfolio management 18.8
oracle primavera unifier 16.1
oracle primavera unifier 16.2
oracle primavera unifier *
oracle primavera unifier 18.8
oracle retail workforce management software 1.60.9.0.0
oracle webcenter portal 12.2.1.3.0
redhat automation manager 7.3.1
redhat decision manager 7.3.1
redhat jboss bpm suite 6.4.11
redhat jboss brms 6.4.10
redhat openshift container platform 3.11
fasterxml jackson-databind 2.9.7
fasterxml jackson-databind 2.9.6
fasterxml jackson-databind 2.3
fasterxml jackson-databind 2.4
fasterxml jackson-databind 2.5
fasterxml jackson-databind 2.6
fasterxml jackson-databind 2.7
fasterxml jackson-databind 2.8
fasterxml jackson-databind 2.9
fasterxml jackson-databind 2.9.1
fasterxml jackson-databind 2.9.2
fasterxml jackson-databind 2.9.3
fasterxml jackson-databind 2.9.4
fasterxml jackson-databind 2.9.5
ibm tivoli netcool/omnibus 8.1.0
ibm maximo asset management 7.6.0
ibm rational rhapsody design manager 6.0
ibm rational rhapsody design manager 6.0.1
ibm rational rhapsody design manager 6.0.2
ibm rational rhapsody design manager 6.0.3
ibm pureapplication system 2.2.3.0
ibm pureapplication system 2.2.3.1
ibm pureapplication system 2.2.3.2
ibm pureapplication system 2.2.4.0
ibm rational rhapsody design manager 6.0.4
ibm rational rhapsody design manager 6.0.5
ibm pureapplication system 2.2.5.0
ibm pureapplication system 2.2.5.1
ibm maximo asset management 7.6.1
ibm rational rhapsody design manager 6.0.6
ibm rational publishing engine 6.0.6
ibm pureapplication system 2.2.5.2
ibm event streams 2018.3.0
ibm pureapplication system 2.2.5.3
ibm sterling b2b integrator 6.0.0.0
ibm sterling b2b integrator 5.2.0.0
ibm event streams 2018.3.1
ibm rational rhapsody design manager 6.0.6.1
ibm sterling b2b integrator 6.0.3.1
ibm security identity governance and intelligence 5.2.6
ibm log analysis 1.3.5.3
ibm log analysis 1.3.6.0
ibm log analysis 1.3.1
ibm log analysis 1.3.2
ibm log analysis 1.3.3
ibm log analysis 1.3.4
ibm log analysis 1.3.5
ibm log analysis 1.3.6
ibm rational publishing engine 7.0
ibm security guardium insights 2.0.1
ibm security guardium data encryption 3.0.0.2
ibm log analysis 1.3.6.1
ibm sterling b2b integrator 6.1.0.0
ibm integration designer 20.0.0.2
ibm sterling b2b integrator 6.1.1.0
ibm security verify governance 10.0
ibm sterling b2b integrator 6.1.2.0