FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2019:0782 advisory.

    The jackson-databind package provides general data-binding functionality for Jackson, which works on top     of Jackson core streaming API.

    Security Fix(es):

    * jackson-databind: Potential information exfiltration with default typing, serialization gadget from     MyBatis (CVE-2018-11307)

    * jackson-databind: improper polymorphic deserialization of types from Jodd-db library (CVE-2018-12022)

    * jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver (CVE-2018-12023)

    * jackson-databind: arbitrary code execution in slf4j-ext class (CVE-2018-14718)

    * jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes (CVE-2018-14719)

    * jackson-databind: improper polymorphic deserialization in axis2-transport-jms class (CVE-2018-19360)

    * jackson-databind: improper polymorphic deserialization in openjpa class (CVE-2018-19361)

    * jackson-databind: improper polymorphic deserialization in jboss-common-core class (CVE-2018-19362)

    * jackson-databind: exfiltration/XXE in some JDK classes (CVE-2018-14720)

    * jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class (CVE-2018-14721)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 ESM host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-4813-1 advisory.

    It was discovered that Jackson Databind incorrectly handled deserialization. An attacker could possibly     use this issue to obtain sensitive information. (CVE-2018-11307, CVE-2019-12086, CVE-2019-12814)

    It was discovered that Jackson Databind incorrectly handled deserialization. An attacker could possibly     use this issue to execute arbitrary code or other unspecified impact. (CVE-2018-12022, CVE-2018-12023,     CVE-2018-14718, CVE-2018-14719, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362, CVE-2019-12384,     CVE-2019-14379, CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943,     CVE-2019-17267, CVE-2019-17531, CVE-2019-20330, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968,     CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620,     CVE-2020-14060, CVE-2020-14061, CVE-2020-14062, CVE-2020-14195, CVE-2020-8840, CVE-2020-9546,     CVE-2020-9547, CVE-2020-9548)

    It was discovered that Jackson Databind incorrectly handled deserialization. An attacker could possibly     use this issue to execute XML entity (XXE) attacks. (CVE-2018-14720)

    It was discovered that Jackson Databind incorrectly handled deserialization. An attacker could possibly     use this issue to execute server-side request forgery (SSRF). (CVE-2018-14721)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Payara Releases reports :

The following is a list of tracked Common Vulnerabilities and Exposures that have been reported and analyzed, which can or have impacted Payara Server across releases :

- CVE-2018-14721 FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks

- CVE-2018-14720 FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct external XML entity (XXE) attacks

- CVE-2018-14719 FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code

- CVE-2018-14718 FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code

- CVE-2018-14371 Eclipse Mojarra before 2.3.7 is affected by Directory Traversal via the loc parameter

Multiple security issues were found in jackson-databind, a Java library to parse JSON and other data formats which could result in information disclosure or the execution of arbitrary code.

Several deserialization flaws were discovered in jackson-databind, a fast and powerful JSON library for Java, which could allow an unauthenticated user to perform code execution. The issue was resolved by extending the blacklist and blocking more classes from polymorphic deserialization.

For Debian 8 'Jessie', these problems have been fixed in version 2.4.2-2+deb8u5.

We recommend that you upgrade your jackson-databind packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Fixes CVE-2018-14718 CVE-2018-14719 CVE-2018-19360 CVE-2018-19361 CVE-2018-19362 CVE-2018-12022 CVE-2018-12023 CVE-2018-14720 CVE-2018-14721 and CVE-2016-7051.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Oracle WebCenter Portal installed on the remote host is missing a security patch from the January 2019 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities.

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization. (CVE-2018-14718)

Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later. (CVE-2018-1000180)

Vulnerability in the Oracle WebCenter Portal component of Oracle Fusion Middleware (subcomponent: WebCenter Spaces Application). Supported versions that are affected are 11.1.1.9.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Portal. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebCenter Portal accessible data. (CVE-2019-2427)

The version of Oracle Application Testing Suite installed on the remote host is affected by multiple vulnerabilities : 

  - Enterprise Manager Base Platform Agent Next Gen (Jython)     component of Oracle Enterprise Manager Products Suite is easily     exploited and can allow an unauthenticated attacker the ability     to takeover the Enterprise Manager Base Platform. (CVE-2016-4000)

  - Enterprise Manager Base Platform Discovery Framework (OpenSSL)     component of Oracle Enterprise Manager Products Suite is easily     exploited and can allow an unauthenticated attacker the ability     to cause a frequent crash (DoS) of the Enterprise Manager Base     Platform. (CVE-2018-0732)

  - Enterprise Manager Ops Center Networking (OpenSSL) component of     Oracle Enterprise Manager Products Suite is easily exploited     and can allow an unauthenticated attacker the ability to cause a     frequent crash (DoS) of the Enterprise Manager Ops Center     Platform. (CVE-2018-0732)

  - Oracle Application Testing Suite Load Testing for Web Apps     (Spring Framework) component of Oracle Enterprise Manager     Products Suite is easily exploited and can allow an     unauthenticated attacker the ability to takeover the Enterprise     Manager Base Platform. (CVE-2018-1258)

  - Enterprise Manager Base Platform EM Console component is easily     exploited by an unauthenticated attacker. Successful attacks     can result in unauthorized update, insert, or delete access.     (CVE-2018-3303)

  - Oracle Application Testing Suite Load Testing for Web Apps     component is easily exploited by an unauthenticated attacker.     Successful attacks can result in unauthorized update, insert, or     delete access and a partial denial of service. (CVE-2018-3304)

  - Oracle Application Testing Suite Load Testing for Web Apps     component is easily exploited by an unauthenticated attacker.     Successful attacks can result in unauthorized update, insert, or     delete access and a partial denial of service. (CVE-2018-3305)

  - Enterprise Manager for Virtualization Plug-In Lifecycle     (jackson-databind) component of Oracle Enterprise Manager     allows an unauthenticated attacker the ability to takeover      Enterprise Manager for Virtualization. (CVE-2018-12023)

  - Enterprise Manager for Virtualization Plug-In Lifecycle     (jackson-databind) component of Oracle Enterprise Manager     allows an unauthenticated attacker the ability to takeover      Enterprise Manager for Virtualization. (CVE-2018-14718)

  - Enterprise Manager Ops Center Networking (cURL) component of     Oracle Enterprise Manager allows an unauthenticated attacker the     ability to takeover Enterprise Manager Ops Center.     (CVE-2018-1000300)

According to its self-reported version number, the Oracle Primavera Unifier installation running on the remote web server is 16.x prior to 16.2.15.6 or 17.x prior to 17.12.9.2 or 18.x prior to 18.8.4.1. It is, therefore, affected by multiple vulnerabilities:

  - An arbitrary file upload vulnerability exists in Blueimp     jQuery-File-Upload. An unauthenticated, remote attacker     can exploit this to upload arbitrary files on the remote     host subject to the privileges of the user.

  - A remote command execution vulnerability exists in     jackson-databind due to a failure to block various     classes from polymorphic deserialization. An     unauthenticated, remote attacker can exploit this to     execute arbitrary code. (CVE-2018-14718, CVE-2018-14719     CVE-2018-14720, CVE-2018-14721)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
194170	RHEL 7 : rh-maven35-jackson-databind (RHSA-2019:0782)	Nessus	Red Hat Local Security Checks	critical
183541	Ubuntu 16.04 ESM : Jackson Databind vulnerabilities (USN-4813-1)	Nessus	Ubuntu Local Security Checks	critical
141314	FreeBSD : payara -- multiple vulnerabilities (71c71ce0-0805-11eb-a3a4-0019dbb15b3f)	Nessus	FreeBSD Local Security Checks	critical
125416	Debian DSA-4452-1 : jackson-databind - security update	Nessus	Debian Local Security Checks	critical
122603	Debian DLA-1703-1 : jackson-databind security update	Nessus	Debian Local Security Checks	critical
122290	Fedora 29 : bouncycastle / eclipse-jgit / eclipse-linuxtools / etc (2019-df57551f6d)	Nessus	Fedora Local Security Checks	critical
121347	Oracle WebCenter Portal Multiple Vulnerabilities (Jan 2019 CPU)	Nessus	Misc.	critical
121257	Oracle Application Testing Suite Multiple Vulnerabilities (Jan 2019 CPU)	Nessus	Misc.	critical
121251	Oracle Primavera Unifier Multiple Vulnerabilities (Jan 2019 CPU)	Nessus	CGI abuses	critical

Detections

Analytics

CVE-2018-14718

critical

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

critical

critical