The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of jackson-databind: file reading via Polymorphic Typing JSON Message

Synthesis of the vulnerability

A local attacker can read a file via Polymorphic Typing JSON Message of jackson-databind, in order to obtain sensitive information.
Severity of this weakness: 2/4.
Creation date: 24/06/2019.
Références of this bulletin: CVE-2019-12384, DLA-1831-1, DSA-4542-1, FEDORA-2019-ae6a703b8f, FEDORA-2019-fb23eccc03, NTAP-20190703-0002, RHSA-2019:1820-01, RHSA-2019:2720-01, RHSA-2019:2935-01, RHSA-2019:2936-01, RHSA-2019:2937-01, RHSA-2019:2938-01, VIGILANCE-VUL-29604.

Description of the vulnerability

A local attacker can read a file via Polymorphic Typing JSON Message of jackson-databind, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Request your free trial)

This security bulletin impacts software or systems such as Debian, Fedora, SnapCenter Backup Management, RHEL, JBoss EAP by Red Hat, SAS Add-in for Microsoft Office, SAS Analytics Pro, Base SAS Software, SAS Enterprise BI Server, SAS Enterprise Guide, SAS Grid Computing, SAS Management Console, SAS OLAP Server, SAS SAS/ACCESS, SAS SAS/AF, SAS SAS/CONNECT, SAS SAS/EIS, SAS SAS/ETS, SAS SAS/FSP, SAS SAS/GRAPH, SAS SAS/IML, SAS SAS/INSIGHT, SAS SAS/OR, SAS SAS/STAT, SAS SAS/Web Report Studio.

Our Vigil@nce team determined that the severity of this cybersecurity announce is medium.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this vulnerability alert.

Solutions for this threat

Debian 8: new jackson-databind packages.
New packages are available:
  Debian 8: jackson-databind 2.4.2-2+deb8u7

Debian 9/10: new jackson-databind packages.
New packages are available:
  Debian 9: jackson-databind 2.8.6-1+deb9u6
  Debian 10: jackson-databind 2.9.8-3+deb10u1

Fedora: new jackson packages.
New packages are available:
  Fedora 30: jackson-annotations 2.9.9-1.fc30, jackson-core 2.9.9-1.fc30, jackson-bom 2.9.9-1.fc30, jackson-databind 2.9.9.3-1.fc30
  Fedora 29: jackson-annotations 2.9.9-1.fc29, jackson-core 2.9.9-1.fc29, jackson-bom 2.9.9-1.fc29, jackson-databind 2.9.9.3-1.fc29

NetApp SnapCenter: solution for FasterXML jackson-databind.
Contrary to its first announcement, NetApp SnapCenter is not vulnerable.

Red Hat JBoss EAP: version 7.2.4.
The version 7.2.4 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=7.2

RHEL 7: new rh-maven35-jackson-databind packages.
New packages are available:
  RHEL 7: rh-maven35-jackson-databind 2.7.6-2.6.el7

RHEL 8: new pki-deps-10.6 module.
The following module is updated:
  RHEL 8 Module: pki-deps:10.6

SAS: version 9.4M6 TS1M6 11-19-2019.
The version 9.4M6 TS1M6 11-19-2019 is fixed:
  http://ftp.sas.com/techsup/download/hotfix/HF2/SAS_Security_Updates.html
Full Vigil@nce bulletin... (Request your free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a computer vulnerability announce. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.