Vulnerability Name: CVE-2019-17267 (CCN-168514) Assigned: 2019-09-17 Published: 2019-09-17 Updated: 2021-02-22 Summary: A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. CVSS v3 Severity: 9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 6.4 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): LowIntegrity (I): LowAvailibility (A): Low
CVSS v2 Severity: 7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAuthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): PartialAvailibility (A): Partial
7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): PartialAvailibility (A): Partial
Vulnerability Type: CWE-502 Vulnerability Consequences: Gain Access References: Source: MITRECVE-2019-17267 RHSA-2019:3200 RHSA-2020:0159 RHSA-2020:0160 RHSA-2020:0161 RHSA-2020:0164 RHSA-2020:0445 fasterxml-cve201917267-weak-security(168514) https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.3...jackson-databind-2.9.10 Block one more gadget type (ehcache, CVE-2019-17267) #2460 https://github.com/FasterXML/jackson-databind/issues/2460 [drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities [drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities [drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities [bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image [druid-commits] 20200115 [druid] branch 0.17.0 updated: Suppress CVE-2019-20330 for htrace-core-4.0.1 (#9189) (#9191) [skywalking-dev] 20200324 [CVE-2019-17267] Upgrade jackson-databind version to 2.9.10 [geode-issues] 20200831 [jira] [Created] (GEODE-8471) Dependency security issues in geode-core-1.12 [debian-lts-announce] 20191210 [SECURITY] [DLA 2030-1] jackson-databind security update https://security.netapp.com/advisory/ntap-20191017-0006/ IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind Multiple vulnerabilities in jackson-databind affect IBM Platform Symphony and IBM Spectrum Symphony Multiple vulnerabilities in FasterXML Jackson-databind affect IBM Spectrum Protect Plus (CVE-2019-16943, CVE-2019-16942, CVE-2019-17531, CVE-2019-17267, CVE-2019-14540, CVE-2019-16335, CVE-2019-14379, CVE-2019-14439) Multiple security vulnerabilities have been Identified In Jackson Databind library shipped with IBM Global Mailbox Multiple Security Vulnerabilities in Jackson-databind Affect IBM Sterling B2B Integrator IBM has announced a release for IBM Security Identity Governance and Intelligence in response to security vulnerabilities IBM Data Risk Manager is affected by multiple vulnerabilities Multiple vulnerabilities affects IBM Jazz Foundation and IBM Engineering products. IBM Security Guardium Insights is affected by Components with known vulnerabilities IBM Data Risk Manager is affected by multiple vulnerabilities IBM Maximo Asset Management is vulnerable to Multiple Jackson-Databind CVEs - February 2020 IBM Cognos Business Intelligence has addressed multiple vulnerabilities (Q12021) IBM Cognos Analytics has addressed multiple vulnerabilities Jackson-Databind Vulnerabilities Affect the B2B API of IBM Sterling B2B Integrator IBM Cloud Pak for Multicloud Management Monitoring has patched several open source dependencies Vulnerability in jackson-databind affects IBM Process Mining (Multiple CVEs) IBM Disconnected Log Collector is vulnerable to using components with known vulnerabilities z/Transaction Processing Facility is affected by multiple vulnerabilities in the jackson-databind, jackson-dataformat-xml, jackson-core, slf4j-ext, and cxf-core packages Multiple vulnerabilities in Data-Binding for Jackson shipped with IBM Operations Analytics - Log Analysis Multiple CVEs affect IBM Integration Designer IBM Security Verify Governance is vulnerable to a denial of service caused by multiple vulnerabilities. https://www.oracle.com/security-alerts/cpujan2020.html https://www.oracle.com/security-alerts/cpujul2020.html Oracle Critical Patch Update Advisory - October 2020 https://www.oracle.com/security-alerts/cpuoct2020.html Vulnerable Configuration: Configuration 1 :cpe:/a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* (Version >= 2.8.0 and < 2.8.11.5)OR cpe:/a:fasterxml:jackson-databind:*:*:*:*:*:*:*:* (Version >= 2.9.0 and < 2.9.10) Configuration 2 :cpe:/a:netapp:active_iq_unified_manager:*:*:*:*:*:linux:*:* (Version >= 7.3OR cpe:/a:netapp:active_iq_unified_manager:*:*:*:*:*:windows:*:* (Version >= 7.3 OR cpe:/a:netapp:active_iq_unified_manager:*:*:*:*:*:vmware_vsphere:*:* (Version >= 9.5 OR cpe:/a:netapp:oncommand_api_services:-:*:*:*:*:*:*:* OR cpe:/a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:* OR cpe:/a:netapp:service_level_manager:-:*:*:*:*:*:*:* OR cpe:/a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:* Configuration 3 :cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:* Configuration 4 :cpe:/a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:* OR cpe:/a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:* AND cpe:/o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:* Configuration 5 :cpe:/a:oracle:customer_management_and_segmentation_foundation:*:*:*:*:*:*:*:* (Version < 18.0)OR cpe:/a:oracle:goldengate_application_adapters:19.1.0.0.0:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_customer_management_and_segmentation_foundation:17.0:*:*:*:*:*:*:* OR cpe:/a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:fasterxml:jackson-databind:2.9.9:*:*:*:*:*:*:* AND cpe:/a:ibm:cognos_business_intelligence:10.2.2:*:*:*:*:*:*:* OR cpe:/a:ibm:maximo_asset_management:7.6.0:*:*:*:*:*:*:* OR cpe:/a:ibm:cognos_analytics:11.0:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_rhapsody_design_manager:6.0.2:*:*:*:*:*:*:* OR cpe:/a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:* OR cpe:/a:ibm:spectrum_protect_plus:10.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:platform_symphony:7.1.1:*:*:*:*:*:*:* OR cpe:/a:ibm:platform_symphony:7.1.2:*:*:*:*:*:*:* OR cpe:/a:ibm:platform_symphony:7.2.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:maximo_asset_management:7.6.1:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.0.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:5.2.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.0.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:cognos_analytics:11.1:*:*:*:*:*:*:* OR cpe:/a:ibm:watson_discovery:2.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:watson_discovery:2.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:platform_symphony:7.3:*:*:*:*:*:*:* OR cpe:/a:ibm:platform_symphony:7.2.1:*:*:*:*:*:*:* OR cpe:/a:ibm:spectrum_protect_plus:10.1.5:*:*:*:*:*:*:* OR cpe:/a:ibm:data_risk_manager:2.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:data_risk_manager:2.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:data_risk_manager:2.0.3:*:*:*:*:*:*:* OR cpe:/a:ibm:data_risk_manager:2.0.4:*:*:*:*:*:*:* OR cpe:/a:ibm:data_risk_manager:2.0.5:*:*:*:*:*:*:* OR cpe:/a:ibm:data_risk_manager:2.0.6:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.0.3.1:*:*:*:*:*:*:* OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.6:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.5.3:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.6.0:*:*:*:*:*:*:* OR cpe:/a:ibm:data_risk_manager:2.0.6.1:*:*:*:*:*:*:* OR cpe:/a:ibm:data_risk_manager:2.0.6.2:*:*:*:*:*:*:* OR cpe:/a:ibm:security_guardium_insights:2.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.6.1:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.1.0.0:*:*:*:standard:*:*:* OR cpe:/a:ibm:integration_designer:20.0.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:security_verify_governance:10.0:*:*:*:*:*:*:* Oval Definitions BACK
fasterxml jackson-databind *
fasterxml jackson-databind *
netapp active iq unified manager *
netapp active iq unified manager *
netapp active iq unified manager *
netapp oncommand api services -
netapp oncommand workflow automation -
netapp service level manager -
netapp steelstore cloud integrated storage -
debian debian linux 8.0
redhat jboss enterprise application platform 7.2
redhat jboss enterprise application platform 7.3
redhat enterprise linux 6.0
redhat enterprise linux 7.0
redhat enterprise linux 8.0
oracle customer management and segmentation foundation *
oracle goldengate application adapters 19.1.0.0.0
oracle retail customer management and segmentation foundation 17.0
oracle weblogic server 12.2.1.3.0
fasterxml jackson-databind 2.9.9
ibm cognos business intelligence 10.2.2
ibm maximo asset management 7.6.0
ibm cognos analytics 11.0
ibm rational rhapsody design manager 6.0.2
oracle weblogic server 12.2.1.3.0
ibm spectrum protect plus 10.1.0
ibm platform symphony 7.1.1
ibm platform symphony 7.1.2
ibm platform symphony 7.2.0.2
ibm maximo asset management 7.6.1
ibm sterling b2b integrator 6.0.0.0
ibm sterling b2b integrator 5.2.0.0
ibm sterling b2b integrator 6.0.1.0
ibm cognos analytics 11.1
ibm watson discovery 2.0.1
ibm watson discovery 2.0.0
ibm platform symphony 7.3
ibm platform symphony 7.2.1
ibm spectrum protect plus 10.1.5
ibm data risk manager 2.0.1
ibm data risk manager 2.0.2
ibm data risk manager 2.0.3
ibm data risk manager 2.0.4
ibm data risk manager 2.0.5
ibm data risk manager 2.0.6
ibm sterling b2b integrator 6.0.3.1
ibm security identity governance and intelligence 5.2.6
ibm log analysis 1.3.5.3
ibm log analysis 1.3.6.0
ibm data risk manager 2.0.6.1
ibm data risk manager 2.0.6.2
ibm security guardium insights 2.0.1
ibm log analysis 1.3.6.1
ibm sterling b2b integrator 6.1.0.0
ibm integration designer 20.0.0.2
ibm security verify governance 10.0
Denotes that component is vulnerable