FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).

The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the SVD-2024-0303 advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 ESM host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-4813-1 advisory.

    It was discovered that Jackson Databind incorrectly handled deserialization. An attacker could possibly     use this issue to obtain sensitive information. (CVE-2018-11307, CVE-2019-12086, CVE-2019-12814)

    It was discovered that Jackson Databind incorrectly handled deserialization. An attacker could possibly     use this issue to execute arbitrary code or other unspecified impact. (CVE-2018-12022, CVE-2018-12023,     CVE-2018-14718, CVE-2018-14719, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362, CVE-2019-12384,     CVE-2019-14379, CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943,     CVE-2019-17267, CVE-2019-17531, CVE-2019-20330, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968,     CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620,     CVE-2020-14060, CVE-2020-14061, CVE-2020-14062, CVE-2020-14195, CVE-2020-8840, CVE-2020-9546,     CVE-2020-9547, CVE-2020-9548)

    It was discovered that Jackson Databind incorrectly handled deserialization. An attacker could possibly     use this issue to execute XML entity (XXE) attacks. (CVE-2018-14720)

    It was discovered that Jackson Databind incorrectly handled deserialization. An attacker could possibly     use this issue to execute server-side request forgery (SSRF). (CVE-2018-14721)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:4366 advisory.

    Red Hat Satellite is a systems management tool for Linux-based     infrastructure. It allows for provisioning, remote management, and     monitoring of multiple Linux deployments with a single centralized tool.

    Security Fix(es):

    * mysql-connector-java: Connector/J unspecified vulnerability (CPU October 2018) (CVE-2018-3258)
    * netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238)
    * rubygem-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser (CVE-2020-7663)
    * puppet: puppet server and puppetDB may leak sensitive information via metrics API (CVE-2020-7943)
    * jackson-databind: multiple serialization gadgets (CVE-2020-8840 CVE-2020-9546 CVE-2020-9547     CVE-2020-9548 CVE-2020-10968 CVE-2020-10969 CVE-2020-11619 CVE-2020-14061 CVE-2020-14062 CVE-2020-14195)
    * foreman: unauthorized cache read on RPM-based installations through local user (CVE-2020-14334)
    * Satellite: Local user impersonation by Single sign-on (SSO) user leads to account takeover     (CVE-2020-14380)
    * Django: Incorrect HTTP detection with reverse-proxy connecting via HTTPS (CVE-2019-12781)
    * rubygem-rack: hijack sessions by using timing attacks targeting the session id (CVE-2019-16782)
    * rubygem-secure_headers: limited header injection when using dynamic overrides with user input     (CVE-2020-5216)
    * rubygem-secure_headers: directive injection when using dynamic overrides with user input (CVE-2020-5217)
    * rubygem-actionview: views that use the `j` or `escape_javascript` methods are susceptible to XSS attacks     (CVE-2020-5267)
    * puppet: Arbitrary catalog retrieval (CVE-2020-7942)
    * rubygem-rack: directory traversal in Rack::Directory (CVE-2020-8161)
    * rubygem-rack: percent-encoded cookies can be used to overwrite existing prefixed cookie names     (CVE-2020-8184)
    * hibernate-validator: Improper input validation in the interpolation of constraint error messages     (CVE-2020-10693)
    * puppet-agent: Puppet Agent does not properly verify SSL connection when downloading a CRL     (CVE-2018-11751)

    For more details about the security issue(s), including the impact, a CVSS     score, acknowledgments, and other related information, refer to the CVE     page(s) listed in the References section.

    Additional Changes:

    * Provides the Satellite Ansible Modules that allow for full automation of your Satellite configuration     and deployment.

    * Adds ability to install Satellite and Capsules and manage hosts in a IPv6 network environment

    * Ansible based Capsule Upgrade automation: Ability to centrally upgrade all of your Capsule servers with     a single job execution.

    * Platform upgrades to Postgres 12, Ansible 2.9, Ruby on Rails and latest version of Puppet

    * Support for HTTP UEFI provisioning

    * Support for CAC card authentication with Keycloak integration

    * Add ability to upgrade Red Hat Enterprise Linux 7 hosts to version 8 using the LEAPP based tooling.

    * Support for Red Hat Enterprise Linux Traces integration

    * satellite-maintain & foreman-maintain are now self updating

    * Notifications in the UI to warn users when subscriptions are expiring.

    The items above are not a complete list of changes. This update also fixes     several bugs and adds various enhancements. Documentation for these changes     is available from the Release Notes document linked to in the References     section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Puppetlabs reports :

In June 2020, jackson-databind published security updates addressing several CVEs. Previous releases of PuppetDB contain a vulnerable version of jackson.core:jackson-databind. PuppetDB 5.2.18 contains an updated version of jackson-databind that has patched the vulnerabilities.

There were several CVE(s) reported against src:jackson-databind, which are as follows :

CVE-2020-14060

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).

CVE-2020-14061

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).

CVE-2020-14062

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).

CVE-2020-14195

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).

For Debian 8 'Jessie', these problems have been fixed in version 2.4.2-2+deb8u15.

We recommend that you upgrade your jackson-databind packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
194923	Splunk Enterprise 9.0.0 < 9.0.9, 9.1.0 < 9.1.4, 9.2.0 < 9.2.1 (SVD-2024-0303)	Nessus	CGI abuses	critical
183541	Ubuntu 16.04 ESM : Jackson Databind vulnerabilities (USN-4813-1)	Nessus	Ubuntu Local Security Checks	critical
142452	RHEL 7 : Satellite 6.8 (Important) (RHSA-2020:4366)	Nessus	Red Hat Local Security Checks	critical
139471	FreeBSD : puppetdb -- Multiple vulnerabilities (10e3ed8a-db7f-11ea-8bdf-643150d3111d)	Nessus	FreeBSD Local Security Checks	critical
138063	Debian DLA-2270-1 : jackson-databind security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2020-14062

high

Tenable Plugins

critical

critical

critical

critical

high