An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2019:0782 advisory.

  - jackson-databind: Potential information exfiltration with default typing, serialization gadget from     MyBatis (CVE-2018-11307)

  - jackson-databind: improper polymorphic deserialization of types from Jodd-db library (CVE-2018-12022)

  - jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver (CVE-2018-12023)

  - jackson-databind: arbitrary code execution in slf4j-ext class (CVE-2018-14718)

  - jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes (CVE-2018-14719)

  - jackson-databind: exfiltration/XXE in some JDK classes (CVE-2018-14720)

  - jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class (CVE-2018-14721)

  - jackson-databind: improper polymorphic deserialization in axis2-transport-jms class (CVE-2018-19360)

  - jackson-databind: improper polymorphic deserialization in openjpa class (CVE-2018-19361)

  - jackson-databind: improper polymorphic deserialization in jboss-common-core class (CVE-2018-19362)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 ESM host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-4813-1 advisory.

  - An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing     along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and     2.9.6. (CVE-2018-11307)

  - An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default     Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for     database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to     access, it is possible to make the service execute a malicious payload. (CVE-2018-12022)

  - An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default     Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the     classpath, and an attacker can provide an LDAP service to access, it is possible to make the service     execute a malicious payload. (CVE-2018-12023)

  - FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by     leveraging failure to block the slf4j-ext class from polymorphic deserialization. (CVE-2018-14718)

  - FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by     leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.
    (CVE-2018-14719)

  - FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE)     attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
    (CVE-2018-14720)

  - FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request     forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic     deserialization. (CVE-2018-14721)

  - FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging     failure to block the axis2-transport-jms class from polymorphic deserialization. (CVE-2018-19360)

  - FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging     failure to block the openjpa class from polymorphic deserialization. (CVE-2018-19361)

  - FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging     failure to block the jboss-common-core class from polymorphic deserialization. (CVE-2018-19362)

  - A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default     Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint,     the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can     host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that     allows them to read arbitrary local files on the server. This occurs because of missing     com.mysql.cj.jdbc.admin.MiniAdmin validation. (CVE-2019-12086)

  - FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by     leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the     classpath content, remote code execution may be possible. (CVE-2019-12384)

  - A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default     Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and     the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON     message that allows them to read arbitrary local files on the server. (CVE-2019-12814)

  - SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache     is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote     code execution. (CVE-2019-14379)

  - A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs     when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON     endpoint and the service has the logback jar in the classpath. (CVE-2019-14439)

  - A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to     com.zaxxer.hikari.HikariConfig. (CVE-2019-14540)

  - A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to     com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
    (CVE-2019-16335)

  - A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default     Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and     the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service     endpoint to access, it is possible to make the service execute a malicious payload. This issue exists     because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and     org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling. (CVE-2019-16942)

  - A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default     Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and     the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint     to access, it is possible to make the service execute a malicious payload. This issue exists because of     com.p6spy.engine.spy.P6DataSource mishandling. (CVE-2019-16943)

  - A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to     net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. (CVE-2019-17267)

  - A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default     Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and     the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a     JNDI service to access, it is possible to make the service execute a malicious payload. (CVE-2019-17531)

  - FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking. (CVE-2019-20330)

  - FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets     and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka     aries.transaction.jms). (CVE-2020-10672)

  - FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets     and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus). (CVE-2020-10673)

  - FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets     and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy). (CVE-2020-10968)

  - FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets     and typing, related to javax.swing.JEditorPane. (CVE-2020-10969)

  - FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets     and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and     activemq-pool-jms). (CVE-2020-11111)

  - FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets     and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).
    (CVE-2020-11112)

  - FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets     and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa). (CVE-2020-11113)

  - FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets     and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).
    (CVE-2020-11619)

  - FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets     and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly). (CVE-2020-11620)

  - FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets     and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).
    (CVE-2020-14060)

  - FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets     and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory,     oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and     oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms). (CVE-2020-14061)

  - FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets     and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).
    (CVE-2020-14062)

  - FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets     and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity). (CVE-2020-14195)

  - FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as     demonstrated by org.apache.xbean.propertyeditor.JndiConverter. (CVE-2020-8840)

  - FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets     and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).
    (CVE-2020-9546)

  - FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets     and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).
    (CVE-2020-9547)

  - FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets     and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core). (CVE-2020-9548)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Multiple security issues were found in jackson-databind, a Java library to parse JSON and other data formats which could result in information disclosure or the execution of arbitrary code.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2019:1108 advisory.

  - jackson-databind: Potential information exfiltration with default typing, serialization gadget from     MyBatis (CVE-2018-11307)

  - jackson-databind: improper polymorphic deserialization of types from Jodd-db library (CVE-2018-12022)

  - jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver (CVE-2018-12023)

  - undertow: Infoleak in some circumstances where Undertow can serve data from a random buffer     (CVE-2018-14642)

  - jackson-databind: exfiltration/XXE in some JDK classes (CVE-2018-14720)

  - jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class (CVE-2018-14721)

  - wildfly: Race condition on PID file allows for termination of arbitrary processes by local users     (CVE-2019-3805)

  - wildfly: wrong SecurityIdentity for EE concurrency threads that are reused (CVE-2019-3894)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An update is now available for Red Hat JBoss Enterprise Application Platform 7.2 for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on JBoss Application Server 7.

This release of Red Hat JBoss Enterprise Application Platform 7.2.1 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.2.0, and includes bug fixes and enhancements. Refer to the Red Hat JBoss Enterprise Application Platform 7.2.1 Release Notes for information on the most significant bug fixes and enhancements included in this release.

Security Fix(es) :

* jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis (CVE-2018-11307)

* jackson-databind: improper polymorphic deserialization of types from Jodd-db library (CVE-2018-12022)

* jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver (CVE-2018-12023)

* undertow: Infoleak in some circumstances where Undertow can serve data from a random buffer (CVE-2018-14642)

* jackson-databind: exfiltration/XXE in some JDK classes (CVE-2018-14720)

* jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class (CVE-2018-14721)

* wildfly: Race condition on PID file allows for termination of arbitrary processes by local users (CVE-2019-3805)

* wildfly: wrong SecurityIdentity for EE concurrency threads that are reused (CVE-2019-3894)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Several deserialization flaws were discovered in jackson-databind, a fast and powerful JSON library for Java, which could allow an unauthenticated user to perform code execution. The issue was resolved by extending the blacklist and blocking more classes from polymorphic deserialization.

For Debian 8 'Jessie', these problems have been fixed in version 2.4.2-2+deb8u5.

We recommend that you upgrade your jackson-databind packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Fixes CVE-2018-14718 CVE-2018-14719 CVE-2018-19360 CVE-2018-19361 CVE-2018-19362 CVE-2018-12022 CVE-2018-12023 CVE-2018-14720 CVE-2018-14721 and CVE-2016-7051.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Oracle Application Testing Suite installed on the remote host is affected by multiple vulnerabilities : 

  - Enterprise Manager Base Platform Agent Next Gen (Jython)     component of Oracle Enterprise Manager Products Suite is easily     exploited and can allow an unauthenticated attacker the ability     to takeover the Enterprise Manager Base Platform. (CVE-2016-4000)

  - Enterprise Manager Base Platform Discovery Framework (OpenSSL)     component of Oracle Enterprise Manager Products Suite is easily     exploited and can allow an unauthenticated attacker the ability     to cause a frequent crash (DoS) of the Enterprise Manager Base     Platform. (CVE-2018-0732)

  - Enterprise Manager Ops Center Networking (OpenSSL) component of     Oracle Enterprise Manager Products Suite is easily exploited     and can allow an unauthenticated attacker the ability to cause a     frequent crash (DoS) of the Enterprise Manager Ops Center     Platform. (CVE-2018-0732)

  - Oracle Application Testing Suite Load Testing for Web Apps     (Spring Framework) component of Oracle Enterprise Manager     Products Suite is easily exploited and can allow an     unauthenticated attacker the ability to takeover the Enterprise     Manager Base Platform. (CVE-2018-1258)

  - Enterprise Manager Base Platform EM Console component is easily     exploited by an unauthenticated attacker. Successful attacks     can result in unauthorized update, insert, or delete access.     (CVE-2018-3303)

  - Oracle Application Testing Suite Load Testing for Web Apps     component is easily exploited by an unauthenticated attacker.     Successful attacks can result in unauthorized update, insert, or     delete access and a partial denial of service. (CVE-2018-3304)

  - Oracle Application Testing Suite Load Testing for Web Apps     component is easily exploited by an unauthenticated attacker.     Successful attacks can result in unauthorized update, insert, or     delete access and a partial denial of service. (CVE-2018-3305)

  - Enterprise Manager for Virtualization Plug-In Lifecycle     (jackson-databind) component of Oracle Enterprise Manager     allows an unauthenticated attacker the ability to takeover      Enterprise Manager for Virtualization. (CVE-2018-12023)

  - Enterprise Manager for Virtualization Plug-In Lifecycle     (jackson-databind) component of Oracle Enterprise Manager     allows an unauthenticated attacker the ability to takeover      Enterprise Manager for Virtualization. (CVE-2018-14718)

  - Enterprise Manager Ops Center Networking (cURL) component of     Oracle Enterprise Manager allows an unauthenticated attacker the     ability to takeover Enterprise Manager Ops Center.     (CVE-2018-1000300)

According to its self-reported version number, the Oracle Primavera Unifier installation running on the remote web server is 15.x, 16.x prior to 16.2.15.4, 17.x prior to 17.12.8.2, or 18.x prior to 18.8.2.2. It is, therefore, affected by multiple vulnerabilities.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
194170	RHEL 7 : rh-maven35-jackson-databind (RHSA-2019:0782)	Nessus	Red Hat Local Security Checks	critical
183541	Ubuntu 16.04 ESM : Jackson Databind vulnerabilities (USN-4813-1)	Nessus	Ubuntu Local Security Checks	critical
125416	Debian DSA-4452-1 : jackson-databind - security update	Nessus	Debian Local Security Checks	critical
124841	RHEL 7 : Red Hat JBoss Enterprise Application Platform 7.2.1 on RHEL 7 (RHSA-2019:1108)	Nessus	Red Hat Local Security Checks	critical
124840	RHEL 6 : JBoss EAP (RHSA-2019:1107)	Nessus	Red Hat Local Security Checks	critical
122603	Debian DLA-1703-1 : jackson-databind security update	Nessus	Debian Local Security Checks	critical
122290	Fedora 29 : bouncycastle / eclipse-jgit / eclipse-linuxtools / etc (2019-df57551f6d)	Nessus	Fedora Local Security Checks	critical
121257	Oracle Application Testing Suite Multiple Vulnerabilities (Jan 2019 CPU)	Nessus	Misc.	critical
118594	Oracle Primavera Unifier Multiple Vulnerabilities (Oct 2018 CPU)	Nessus	CGI abuses	high

Detections

Analytics

CVE-2018-12023

high

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

critical

high