FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets     and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa). (CVE-2020-11113)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote Ubuntu 16.04 ESM host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-4813-1 advisory.

    It was discovered that Jackson Databind incorrectly handled deserialization. An attacker could possibly     use this issue to obtain sensitive information. (CVE-2018-11307, CVE-2019-12086, CVE-2019-12814)

    It was discovered that Jackson Databind incorrectly handled deserialization. An attacker could possibly     use this issue to execute arbitrary code or other unspecified impact. (CVE-2018-12022, CVE-2018-12023,     CVE-2018-14718, CVE-2018-14719, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362, CVE-2019-12384,     CVE-2019-14379, CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943,     CVE-2019-17267, CVE-2019-17531, CVE-2019-20330, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968,     CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620,     CVE-2020-14060, CVE-2020-14061, CVE-2020-14062, CVE-2020-14195, CVE-2020-8840, CVE-2020-9546,     CVE-2020-9547, CVE-2020-9548)

    It was discovered that Jackson Databind incorrectly handled deserialization. An attacker could possibly     use this issue to execute XML entity (XXE) attacks. (CVE-2018-14720)

    It was discovered that Jackson Databind incorrectly handled deserialization. An attacker could possibly     use this issue to execute server-side request forgery (SSRF). (CVE-2018-14721)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1523 advisory.

    The jackson-databind package provides general data-binding functionality for Jackson, which works on top     of Jackson core streaming API.

    Security Fix(es):

    * jackson-databind: Serialization gadgets in org.aoju.bus.proxy.provider.*.RmiProvider (CVE-2020-10968)

    * jackson-databind: Serialization gadgets in javax.swing.JEditorPane (CVE-2020-10969)

    * jackson-databind: Serialization gadgets in org.apache.activemq.jms.pool.XaPooledConnectionFactory     (CVE-2020-11111)

    * jackson-databind: Serialization gadgets in org.apache.commons.proxy.provider.remoting.RmiProvider     (CVE-2020-11112)

    * jackson-databind: Serialization gadgets in org.apache.openjpa.ee.WASRegistryManagedRuntime     (CVE-2020-11113)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 6 / 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:3817 advisory.

    Red Hat AMQ Clients enable connecting, sending, and receiving messages over the AMQP 1.0 wire transport     protocol to or from AMQ Broker 6 and 7.

    This update provides various bug fixes and enhancements in addition to the client package versions     previously released on Red Hat Enterprise Linux 6, 7, and 8.

    Security Fix(es):

    * jackson-databind: Serialization gadgets in org.apache.openjpa.ee.WASRegistryManagedRuntime     (CVE-2020-11113)

    * wildfly: Some EJB transaction objects may get accumulated causing Denial of Service (CVE-2020-14297)

    * wildfly: EJB SessionOpenInvocations may not be removed properly after a response is received causing     Denial of Service (CVE-2020-14307)

    * log4j: improper validation of certificate with host mismatch in SMTP appender (CVE-2020-9488)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the Oracle Primavera Unifier installation running on the remote web server is 16.1.x or 16.2.x prior to 16.2.16.2, or 17.7.x through 17.12.x prior to 17.12.11.4, or 18.8.x prior to 18.8.17, or 19.12.x prior to 19.12.7. It is, therefore, affected by multiple vulnerabilities, including the following:

  - Vulnerability in the Primavera Unifier product of Oracle Construction and Engineering (component: Platform     (jackson-databind)). Supported versions that are affected are 16.1, 16.2, 17.7-17.12, 18.8 and 19.12.
    Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to     compromise Primavera Unifier. Successful attacks of this vulnerability can result in takeover of Primavera     Unifier. (CVE-2020-9546)

  - Vulnerability in the Primavera Unifier product of Oracle Construction and Engineering (component: Core     (Apache Ant)). Supported versions that are affected are 16.1, 16.2, 17.7-17.12, 18.8 and 19.12. Easily     exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise     Primavera Unifier. Successful attacks of this vulnerability can result in unauthorized creation, deletion     or modification access to critical data or all Primavera Unifier accessible data as well as unauthorized     access to critical data or complete access to all Primavera Unifier accessible data. (CVE-2020-1945)

  - Vulnerability in the Primavera Unifier product of Oracle Construction and Engineering (component: Mobile     App). The supported version that is affected is Prior to 20.6. Difficult to exploit vulnerability allows     unauthenticated attacker with network access via HTTPS to compromise Primavera Unifier. Successful attacks     require human interaction from a person other than the attacker. Successful attacks of this vulnerability     can result in unauthorized access to critical data or complete access to all Primavera Unifier accessible     data as well as unauthorized update, insert or delete access to some of Primavera Unifier accessible data.
    (CVE-2020-14618)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Following CVEs were reported against the jackson-databind source package :

CVE-2020-10968

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).

CVE-2020-10969

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.

CVE-2020-11111

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).

CVE-2020-11112

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).

CVE-2020-11113

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).

CVE-2020-11619

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).

CVE-2020-11620

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).

For Debian 8 'Jessie', these problems have been fixed in version 2.4.2-2+deb8u14.

We recommend that you upgrade your jackson-databind packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
222961	Linux Distros Unpatched Vulnerability : CVE-2020-11113	Nessus	Misc.	high
183541	Ubuntu 16.04 ESM : Jackson Databind vulnerabilities (USN-4813-1)	Nessus	Ubuntu Local Security Checks	critical
170300	RHEL 7 : rh-maven35-jackson-databind (RHSA-2020:1523)	Nessus	Red Hat Local Security Checks	high
140747	RHEL 6 / 7 / 8 : AMQ Clients 2.8.0 Release (Moderate) (RHSA-2020:3817)	Nessus	Red Hat Local Security Checks	high
138508	Oracle Primavera Unifier Multiple Vulnerabilities (Jul 2020 CPU)	Nessus	CGI abuses	critical
135722	Debian DLA-2179-1 : jackson-databind security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2020-11113

high

Tenable Plugins

high

critical

high

high

critical

high