The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of FasterXML jackson-databind: privilege escalation via xbean-reflect/JNDI

Synthesis of the vulnerability 

An attacker can bypass restrictions via xbean-reflect/JNDI of FasterXML jackson-databind, in order to escalate his privileges.
Impacted products: Kafka, Debian, BIG-IP Hardware, TMOS, JBoss EAP by Red Hat.
Severity of this bulletin: 2/4.
Creation date: 20/02/2020.
Références of this threat: CVE-2020-8840, DLA-2111-1, K15320518, RHSA-2020:2511-01, RHSA-2020:2512-01, RHSA-2020:2513-01, RHSA-2020:2515-01, RHSA-2020:3637-01, RHSA-2020:3638-01, RHSA-2020:3639-01, RHSA-2020:3642-01, VIGILANCE-VUL-31653.

Description of the vulnerability 

An attacker can bypass restrictions via xbean-reflect/JNDI of FasterXML jackson-databind, in order to escalate his privileges.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This vulnerability note impacts software or systems such as Kafka, Debian, BIG-IP Hardware, TMOS, JBoss EAP by Red Hat.

Our Vigil@nce team determined that the severity of this cybersecurity vulnerability is medium.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this computer threat note.

Solutions for this threat 

Apache Kafka: version 2.5.1.
The version 2.5.1 is fixed:
  https://kafka.apache.org/downloads#2.5.1

Apache Kafka: version 2.6.0.
The version 2.6.0 is fixed:
  http://kafka.apache.org/downloads

Apache ZooKeeper: version 3.5.8.
The version 3.5.8 is fixed:
  https://www.apache.org/dyn/closer.lua/zookeeper/zookeeper-3.5.8/apache-zookeeper-3.5.8.tar.gz

Debian 8: new jackson-databind packages.
New packages are available:
  Debian 8: jackson-databind 2.4.2-2+deb8u11

Red Hat JBoss EAP: version 7.2.9.
The version 7.2.9 is fixed:
  https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/

Red Hat JBoss EAP: version 7.3.1.
The version 7.3.1 is fixed:
  https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a computer security alert. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.