Synopsis
Important: rh-maven35-jackson-databind security update
Type/Severity
Security Advisory: Important
Topic
An update for rh-maven35-jackson-databind is now available for Red Hat Software Collections.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The jackson-databind package provides general data-binding functionality for Jackson, which works on top of Jackson core streaming API.
Security Fix(es):
- jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis (CVE-2018-11307)
- jackson-databind: improper polymorphic deserialization of types from Jodd-db library (CVE-2018-12022)
- jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver (CVE-2018-12023)
- jackson-databind: arbitrary code execution in slf4j-ext class (CVE-2018-14718)
- jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes (CVE-2018-14719)
- jackson-databind: improper polymorphic deserialization in axis2-transport-jms class (CVE-2018-19360)
- jackson-databind: improper polymorphic deserialization in openjpa class (CVE-2018-19361)
- jackson-databind: improper polymorphic deserialization in jboss-common-core class (CVE-2018-19362)
- jackson-databind: exfiltration/XXE in some JDK classes (CVE-2018-14720)
- jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class (CVE-2018-14721)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
-
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.7 x86_64
-
Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7.7 s390x
-
Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7.7 ppc64le
-
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.6 x86_64
-
Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7.6 s390x
-
Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7.6 ppc64le
-
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.5 x86_64
-
Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7.5 s390x
-
Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7.5 ppc64le
-
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.4 x86_64
-
Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7.4 s390x
-
Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7.4 ppc64le
-
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86_64
-
Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7 s390x
-
Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7 ppc64le
-
Red Hat Software Collections (for RHEL Server for ARM) 1 aarch64
-
Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86_64
Fixes
-
BZ - 1666415
- CVE-2018-14718 jackson-databind: arbitrary code execution in slf4j-ext class
-
BZ - 1666418
- CVE-2018-14719 jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes
-
BZ - 1666423
- CVE-2018-14720 jackson-databind: exfiltration/XXE in some JDK classes
-
BZ - 1666428
- CVE-2018-14721 jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class
-
BZ - 1666482
- CVE-2018-19360 jackson-databind: improper polymorphic deserialization in axis2-transport-jms class
-
BZ - 1666484
- CVE-2018-19361 jackson-databind: improper polymorphic deserialization in openjpa class
-
BZ - 1666489
- CVE-2018-19362 jackson-databind: improper polymorphic deserialization in jboss-common-core class
-
BZ - 1671096
- CVE-2018-12023 jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver
-
BZ - 1671097
- CVE-2018-12022 jackson-databind: improper polymorphic deserialization of types from Jodd-db library
-
BZ - 1677341
- CVE-2018-11307 jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis
Note:
More recent versions of these packages may be available.
Click a package name for more details.
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.7
| SRPM |
|
rh-maven35-jackson-databind-2.7.6-2.5.el7.src.rpm
|
SHA-256: 67dbaaec663461b4b515ca05d406dfcaf1136c8599f729b3490e63683a9d1f6c |
| x86_64 |
|
rh-maven35-jackson-databind-2.7.6-2.5.el7.noarch.rpm
|
SHA-256: 91cf5c54cf19daa46a471892c27c98087e48a2f1a1d86d0781bacc2aea199ba5 |
|
rh-maven35-jackson-databind-javadoc-2.7.6-2.5.el7.noarch.rpm
|
SHA-256: 4e9a02b188e48755a598bba62d89b34792fad93af7f00dafb900bb6b7e4b27e8 |
Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7.7
| SRPM |
|
rh-maven35-jackson-databind-2.7.6-2.5.el7.src.rpm
|
SHA-256: 67dbaaec663461b4b515ca05d406dfcaf1136c8599f729b3490e63683a9d1f6c |
| s390x |
|
rh-maven35-jackson-databind-2.7.6-2.5.el7.noarch.rpm
|
SHA-256: 91cf5c54cf19daa46a471892c27c98087e48a2f1a1d86d0781bacc2aea199ba5 |
|
rh-maven35-jackson-databind-javadoc-2.7.6-2.5.el7.noarch.rpm
|
SHA-256: 4e9a02b188e48755a598bba62d89b34792fad93af7f00dafb900bb6b7e4b27e8 |
Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7.7
| SRPM |
|
rh-maven35-jackson-databind-2.7.6-2.5.el7.src.rpm
|
SHA-256: 67dbaaec663461b4b515ca05d406dfcaf1136c8599f729b3490e63683a9d1f6c |
| ppc64le |
|
rh-maven35-jackson-databind-2.7.6-2.5.el7.noarch.rpm
|
SHA-256: 91cf5c54cf19daa46a471892c27c98087e48a2f1a1d86d0781bacc2aea199ba5 |
|
rh-maven35-jackson-databind-javadoc-2.7.6-2.5.el7.noarch.rpm
|
SHA-256: 4e9a02b188e48755a598bba62d89b34792fad93af7f00dafb900bb6b7e4b27e8 |
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.6
| SRPM |
|
rh-maven35-jackson-databind-2.7.6-2.5.el7.src.rpm
|
SHA-256: 67dbaaec663461b4b515ca05d406dfcaf1136c8599f729b3490e63683a9d1f6c |
| x86_64 |
|
rh-maven35-jackson-databind-2.7.6-2.5.el7.noarch.rpm
|
SHA-256: 91cf5c54cf19daa46a471892c27c98087e48a2f1a1d86d0781bacc2aea199ba5 |
|
rh-maven35-jackson-databind-javadoc-2.7.6-2.5.el7.noarch.rpm
|
SHA-256: 4e9a02b188e48755a598bba62d89b34792fad93af7f00dafb900bb6b7e4b27e8 |
Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7.6
| SRPM |
|
rh-maven35-jackson-databind-2.7.6-2.5.el7.src.rpm
|
SHA-256: 67dbaaec663461b4b515ca05d406dfcaf1136c8599f729b3490e63683a9d1f6c |
| s390x |
|
rh-maven35-jackson-databind-2.7.6-2.5.el7.noarch.rpm
|
SHA-256: 91cf5c54cf19daa46a471892c27c98087e48a2f1a1d86d0781bacc2aea199ba5 |
|
rh-maven35-jackson-databind-javadoc-2.7.6-2.5.el7.noarch.rpm
|
SHA-256: 4e9a02b188e48755a598bba62d89b34792fad93af7f00dafb900bb6b7e4b27e8 |
Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7.6
| SRPM |
|
rh-maven35-jackson-databind-2.7.6-2.5.el7.src.rpm
|
SHA-256: 67dbaaec663461b4b515ca05d406dfcaf1136c8599f729b3490e63683a9d1f6c |
| ppc64le |
|
rh-maven35-jackson-databind-2.7.6-2.5.el7.noarch.rpm
|
SHA-256: 91cf5c54cf19daa46a471892c27c98087e48a2f1a1d86d0781bacc2aea199ba5 |
|
rh-maven35-jackson-databind-javadoc-2.7.6-2.5.el7.noarch.rpm
|
SHA-256: 4e9a02b188e48755a598bba62d89b34792fad93af7f00dafb900bb6b7e4b27e8 |
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.5
| SRPM |
|
rh-maven35-jackson-databind-2.7.6-2.5.el7.src.rpm
|
SHA-256: 67dbaaec663461b4b515ca05d406dfcaf1136c8599f729b3490e63683a9d1f6c |
| x86_64 |
|
rh-maven35-jackson-databind-2.7.6-2.5.el7.noarch.rpm
|
SHA-256: 91cf5c54cf19daa46a471892c27c98087e48a2f1a1d86d0781bacc2aea199ba5 |
|
rh-maven35-jackson-databind-javadoc-2.7.6-2.5.el7.noarch.rpm
|
SHA-256: 4e9a02b188e48755a598bba62d89b34792fad93af7f00dafb900bb6b7e4b27e8 |
Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7.5
| SRPM |
|
rh-maven35-jackson-databind-2.7.6-2.5.el7.src.rpm
|
SHA-256: 67dbaaec663461b4b515ca05d406dfcaf1136c8599f729b3490e63683a9d1f6c |
| s390x |
|
rh-maven35-jackson-databind-2.7.6-2.5.el7.noarch.rpm
|
SHA-256: 91cf5c54cf19daa46a471892c27c98087e48a2f1a1d86d0781bacc2aea199ba5 |
|
rh-maven35-jackson-databind-javadoc-2.7.6-2.5.el7.noarch.rpm
|
SHA-256: 4e9a02b188e48755a598bba62d89b34792fad93af7f00dafb900bb6b7e4b27e8 |
Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7.5
| SRPM |
|
rh-maven35-jackson-databind-2.7.6-2.5.el7.src.rpm
|
SHA-256: 67dbaaec663461b4b515ca05d406dfcaf1136c8599f729b3490e63683a9d1f6c |
| ppc64le |
|
rh-maven35-jackson-databind-2.7.6-2.5.el7.noarch.rpm
|
SHA-256: 91cf5c54cf19daa46a471892c27c98087e48a2f1a1d86d0781bacc2aea199ba5 |
|
rh-maven35-jackson-databind-javadoc-2.7.6-2.5.el7.noarch.rpm
|
SHA-256: 4e9a02b188e48755a598bba62d89b34792fad93af7f00dafb900bb6b7e4b27e8 |
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.4
| SRPM |
|
rh-maven35-jackson-databind-2.7.6-2.5.el7.src.rpm
|
SHA-256: 67dbaaec663461b4b515ca05d406dfcaf1136c8599f729b3490e63683a9d1f6c |
| x86_64 |
|
rh-maven35-jackson-databind-2.7.6-2.5.el7.noarch.rpm
|
SHA-256: 91cf5c54cf19daa46a471892c27c98087e48a2f1a1d86d0781bacc2aea199ba5 |
|
rh-maven35-jackson-databind-javadoc-2.7.6-2.5.el7.noarch.rpm
|
SHA-256: 4e9a02b188e48755a598bba62d89b34792fad93af7f00dafb900bb6b7e4b27e8 |
Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7.4
| SRPM |
|
rh-maven35-jackson-databind-2.7.6-2.5.el7.src.rpm
|
SHA-256: 67dbaaec663461b4b515ca05d406dfcaf1136c8599f729b3490e63683a9d1f6c |
| s390x |
|
rh-maven35-jackson-databind-2.7.6-2.5.el7.noarch.rpm
|
SHA-256: 91cf5c54cf19daa46a471892c27c98087e48a2f1a1d86d0781bacc2aea199ba5 |
|
rh-maven35-jackson-databind-javadoc-2.7.6-2.5.el7.noarch.rpm
|
SHA-256: 4e9a02b188e48755a598bba62d89b34792fad93af7f00dafb900bb6b7e4b27e8 |
Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7.4
| SRPM |
|
rh-maven35-jackson-databind-2.7.6-2.5.el7.src.rpm
|
SHA-256: 67dbaaec663461b4b515ca05d406dfcaf1136c8599f729b3490e63683a9d1f6c |
| ppc64le |
|
rh-maven35-jackson-databind-2.7.6-2.5.el7.noarch.rpm
|
SHA-256: 91cf5c54cf19daa46a471892c27c98087e48a2f1a1d86d0781bacc2aea199ba5 |
|
rh-maven35-jackson-databind-javadoc-2.7.6-2.5.el7.noarch.rpm
|
SHA-256: 4e9a02b188e48755a598bba62d89b34792fad93af7f00dafb900bb6b7e4b27e8 |
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7
| SRPM |
|
rh-maven35-jackson-databind-2.7.6-2.5.el7.src.rpm
|
SHA-256: 67dbaaec663461b4b515ca05d406dfcaf1136c8599f729b3490e63683a9d1f6c |
| x86_64 |
|
rh-maven35-jackson-databind-2.7.6-2.5.el7.noarch.rpm
|
SHA-256: 91cf5c54cf19daa46a471892c27c98087e48a2f1a1d86d0781bacc2aea199ba5 |
|
rh-maven35-jackson-databind-javadoc-2.7.6-2.5.el7.noarch.rpm
|
SHA-256: 4e9a02b188e48755a598bba62d89b34792fad93af7f00dafb900bb6b7e4b27e8 |
Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7
| SRPM |
|
rh-maven35-jackson-databind-2.7.6-2.5.el7.src.rpm
|
SHA-256: 67dbaaec663461b4b515ca05d406dfcaf1136c8599f729b3490e63683a9d1f6c |
| s390x |
|
rh-maven35-jackson-databind-2.7.6-2.5.el7.noarch.rpm
|
SHA-256: 91cf5c54cf19daa46a471892c27c98087e48a2f1a1d86d0781bacc2aea199ba5 |
|
rh-maven35-jackson-databind-2.7.6-2.5.el7.noarch.rpm
|
SHA-256: 91cf5c54cf19daa46a471892c27c98087e48a2f1a1d86d0781bacc2aea199ba5 |
|
rh-maven35-jackson-databind-javadoc-2.7.6-2.5.el7.noarch.rpm
|
SHA-256: 4e9a02b188e48755a598bba62d89b34792fad93af7f00dafb900bb6b7e4b27e8 |
|
rh-maven35-jackson-databind-javadoc-2.7.6-2.5.el7.noarch.rpm
|
SHA-256: 4e9a02b188e48755a598bba62d89b34792fad93af7f00dafb900bb6b7e4b27e8 |
Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7
| SRPM |
|
rh-maven35-jackson-databind-2.7.6-2.5.el7.src.rpm
|
SHA-256: 67dbaaec663461b4b515ca05d406dfcaf1136c8599f729b3490e63683a9d1f6c |
| ppc64le |
|
rh-maven35-jackson-databind-2.7.6-2.5.el7.noarch.rpm
|
SHA-256: 91cf5c54cf19daa46a471892c27c98087e48a2f1a1d86d0781bacc2aea199ba5 |
|
rh-maven35-jackson-databind-2.7.6-2.5.el7.noarch.rpm
|
SHA-256: 91cf5c54cf19daa46a471892c27c98087e48a2f1a1d86d0781bacc2aea199ba5 |
|
rh-maven35-jackson-databind-javadoc-2.7.6-2.5.el7.noarch.rpm
|
SHA-256: 4e9a02b188e48755a598bba62d89b34792fad93af7f00dafb900bb6b7e4b27e8 |
|
rh-maven35-jackson-databind-javadoc-2.7.6-2.5.el7.noarch.rpm
|
SHA-256: 4e9a02b188e48755a598bba62d89b34792fad93af7f00dafb900bb6b7e4b27e8 |
Red Hat Software Collections (for RHEL Server for ARM) 1
| SRPM |
|
rh-maven35-jackson-databind-2.7.6-2.5.el7.src.rpm
|
SHA-256: 67dbaaec663461b4b515ca05d406dfcaf1136c8599f729b3490e63683a9d1f6c |
| aarch64 |
|
rh-maven35-jackson-databind-2.7.6-2.5.el7.noarch.rpm
|
SHA-256: 91cf5c54cf19daa46a471892c27c98087e48a2f1a1d86d0781bacc2aea199ba5 |
|
rh-maven35-jackson-databind-javadoc-2.7.6-2.5.el7.noarch.rpm
|
SHA-256: 4e9a02b188e48755a598bba62d89b34792fad93af7f00dafb900bb6b7e4b27e8 |
Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7
| SRPM |
|
rh-maven35-jackson-databind-2.7.6-2.5.el7.src.rpm
|
SHA-256: 67dbaaec663461b4b515ca05d406dfcaf1136c8599f729b3490e63683a9d1f6c |
| x86_64 |
|
rh-maven35-jackson-databind-2.7.6-2.5.el7.noarch.rpm
|
SHA-256: 91cf5c54cf19daa46a471892c27c98087e48a2f1a1d86d0781bacc2aea199ba5 |
|
rh-maven35-jackson-databind-javadoc-2.7.6-2.5.el7.noarch.rpm
|
SHA-256: 4e9a02b188e48755a598bba62d89b34792fad93af7f00dafb900bb6b7e4b27e8 |