2018-02-06 16:29:00 2021-02-25 22:56:00

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

Vector

NETWORK

Complexity

LOW

Authentication

NONE

Confidentiality

PARTIAL

Integrity

PARTIAL

Availability

PARTIAL
Oracle Webcenter portal 12.2.1.3.0 * * * (not an official CPE) Oracle Utilities advanced spatial and operational analytics 2.7.0.1 * * * (not an official CPE) Oracle Primavera unifier 18.8 * * * (not an official CPE) Oracle Primavera unifier 16.1 * * * (not an official CPE) Oracle Primavera unifier 16.2 * * * (not an official CPE) Oracle Primavera unifier * * * * (not an official CPE) Oracle Global lifecycle management opatchauto * * * * (not an official CPE) Oracle Financial services analytical applications infrastructure 8.0.6.0.0 * * * (not an official CPE) Oracle Financial services analytical applications infrastructure 8.0.7.0.0 * * * (not an official CPE) Oracle Financial services analytical applications infrastructure 8.0.4.0.0 * * * (not an official CPE) Oracle Financial services analytical applications infrastructure 8.0.5.0.0 * * * (not an official CPE) Oracle Financial services analytical applications infrastructure 8.0.3.0.0 * * * (not an official CPE) Oracle Enterprise manager for virtualization 13.2.3 * * * (not an official CPE) Oracle Financial services analytical applications infrastructure 8.0.2.0.0 * * * (not an official CPE) Oracle Enterprise manager for virtualization 13.3.1 * * * (not an official CPE) Oracle Communications instant messaging server 10.0.1.2.0 * * * (not an official CPE) Oracle Enterprise manager for virtualization 13.2.2 * * * (not an official CPE) Oracle Communications billing and revenue management 12.0 * * * (not an official CPE) Oracle Communications communications policy management * * * * (not an official CPE) Oracle Communications diameter signaling route * * * * (not an official CPE) Oracle Communications instant messaging server 10.0.1 * * * (not an official CPE) Oracle Communications billing and revenue management 7.5 * * * (not an official CPE) Oracle Banking platform 2.6.2 * * * (not an official CPE) Oracle Banking platform 2.6.1 * * * (not an official CPE) Oracle Banking platform 2.6.0 * * * (not an official CPE) Oracle Banking platform 2.5.0 * * * (not an official CPE) Redhat Openshift container platform 3.11 * * * (not an official CPE) Netapp Snapcenter - * * * (not an official CPE) Netapp Oncommand shift - * * * (not an official CPE) Netapp Oncommand balance - * * * (not an official CPE) Netapp Oncommand performance manager - * * * (not an official CPE) Netapp Oncommand performance manager - * * * (not an official CPE) Apache Struts * * * * (not an official CPE) Fasterxml Jackson-databind 2.9.0 Prerelease2 * * (not an official CPE) Fasterxml Jackson-databind * * * * (not an official CPE) Fasterxml Jackson-databind 2.9.0 Prerelease1 * * (not an official CPE) Fasterxml Jackson-databind * * * * (not an official CPE) Fasterxml Jackson-databind * * * * (not an official CPE)
Advisory Patch Confirmed Link
https://lists.apache.org/thread.html/b1f33fe5ade396bb903...
https://access.redhat.com/errata/RHSA-2019:2858
https://access.redhat.com/errata/RHSA-2019:3149
https://www.oracle.com/technetwork/security-advisory/cpu...
https://lists.apache.org/thread.html/c2ed4c0126b43e324cf...
https://lists.apache.org/thread.html/c9d5ff20929e8a3c879...
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.debian.org/security/2017/dsa-4004
https://security.netapp.com/advisory/ntap-20171214-0002/
https://support.hpe.com/hpsc/doc/public/display?docLocal...
https://lists.debian.org/debian-lts-announce/2020/01/msg...
https://lists.debian.org/debian-lts-announce/2020/08/msg...
https://lists.apache.org/thread.html/708d94141126eac0301...
https://lists.apache.org/thread.html/9317fd092b257a08154...
https://lists.apache.org/thread.html/f60afd3c7e9ebaaf70f...
https://lists.apache.org/thread.html/f095a791bda6c0595f6...
https://lists.apache.org/thread.html/r68acf97f4526ba59a3...
http://www.securitytracker.com/id/1039744
https://lists.apache.org/thread.html/c10a2bf0fdc3d25faf1...
http://www.securityfocus.com/bid/99623
https://access.redhat.com/errata/RHSA-2017:3456
http://www.oracle.com/technetwork/security-advisory/cpuj...
http://www.oracle.com/technetwork/security-advisory/cpuo...
https://lists.apache.org/thread.html/5008bcbd45ee65ce39e...
https://lists.apache.org/thread.html/4641ed8616ccc2c1fbd...
https://access.redhat.com/errata/RHSA-2018:1449
https://access.redhat.com/errata/RHSA-2018:1450
https://access.redhat.com/errata/RHSA-2019:0910
https://github.com/FasterXML/jackson-databind/issues/172...
https://github.com/FasterXML/jackson-databind/issues/159...
https://cwiki.apache.org/confluence/display/WW/S2-055
https://bugzilla.redhat.com/show_bug.cgi?id=1462702
https://lists.apache.org/thread.html/3c87dc8bca99a2b3b47...
https://access.redhat.com/errata/RHSA-2017:3458
https://access.redhat.com/errata/RHSA-2018:0294
https://access.redhat.com/errata/RHSA-2018:0342
https://access.redhat.com/errata/RHSA-2017:2636
https://access.redhat.com/errata/RHSA-2017:3455
https://access.redhat.com/errata/RHSA-2017:3454
https://access.redhat.com/errata/RHSA-2017:3141
https://access.redhat.com/errata/RHSA-2017:2638
https://access.redhat.com/errata/RHSA-2017:2637
https://access.redhat.com/errata/RHSA-2017:2633
https://access.redhat.com/errata/RHSA-2017:2635
https://access.redhat.com/errata/RHSA-2017:2547
https://access.redhat.com/errata/RHSA-2017:2546
https://access.redhat.com/errata/RHSA-2017:2477
https://access.redhat.com/errata/RHSA-2017:1840
https://access.redhat.com/errata/RHSA-2017:1837
https://access.redhat.com/errata/RHSA-2017:1839
https://access.redhat.com/errata/RHSA-2017:1836
http://www.securitytracker.com/id/1040360
https://access.redhat.com/errata/RHSA-2017:1835
https://access.redhat.com/errata/RHSA-2017:1834
http://www.securitytracker.com/id/1039947
https://www.oracle.com/technetwork/security-advisory/cpu...
http://www.oracle.com/technetwork/security-advisory/cpua...
https://www.oracle.com/technetwork/security-advisory/cpu...