openSUSE 16: jackson-annotations / jackson-annotations-javadoc / jackson-core / etc (openSUSE-SU-2026:21201-1)

high Nessus Plugin ID 325046

Synopsis

The remote openSUSE host is missing one or more security updates.

Description

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:21201-1 advisory.

This update for jackson-annotations, jackson-core, jackson-databind fixes the following issues

- CVE-2026-54512: jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation (bsc#1268897).
- CVE-2026-54513: jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (bsc#1268898).
- CVE-2026-54514: InetSocketAddress deserialization triggers eager DNS resolution (bsc#1268899).
- CVE-2026-54515: jackson-databind has case-insensitive deserialization bypasses per-property @JsonIgnoreProperties (bsc#1268902).
- document length constraint bypass in blocking, async, and DataInput parsers (bsc#1268603).

Changes for jackson-annotations:

- Update to 2.18.8
* No changes since 2.17.3

Changes for jackson-core:

- Update to 2.18.8
* Changes of 2.18.8 + #1611: Apply number-length validator on streaming integer path of async parser
* Changes of 2.18.7 + #1570: Fail parsing from 'DataInput' if 'StreamReadConstraints .getMaxDocumentLength()' set (bsc#1268603, GHSA-2m67-wjpj-xhg9) + #1600: Rework 3rd party licenses in jar + #1602: 'UTF8DataInputJsonParser' needs to enforce 'StreamReadConstraints.maxNameLength' limit
* Changes of 2.18.6 + #1512: Number-parsing fix for 'UTF8DataInputJsonParser' + #1548: 'StreamReadConstraints.maxDocumentLength' not checked when creating parser with fixed buffer + #1555: Enforce 'StreamReadConstraints.maxNumberLength' for non-blocking (async) parser
* Changes of 2.18.5 + #1433: 'JsonParser#getNumberType()' throws 'JsonParseException' when the current token is non-numeric instead of returning null + #1446: Invalid package reference to java.lang.foreign from 'com.fasterxml.jackson.core:jackson-core' (from 'FastDoubleParser')
* Changes of 2.18.3 + #1391: Fix issue where the parser can read back old number state when parsing later numbers + #1397: Jackson changes additional values to infinite in case of special JSON structures and existing infinite values + #1398: Fix issue that feature COMBINE_UNICODE_SURROGATES_IN_UTF8 doesn't work when custom characterEscape is used
* Changes of 2.18.2 + #1359: Non-surrogate characters being incorrectly combined when 'JsonWriteFeature.COMBINE_UNICODE_SURROGATES_IN_UTF8' is enabled
* Changes of 2.18.1 + #1353: Use fastdoubleparser 1.0.90
* Changes of 2.18.
+ #223: 'UTF8JsonGenerator' writes supplementary characters as a surrogate pair: should use 4-byte encoding + #1230: Improve performance of 'float' and 'double' parsing from 'TextBuffer' + #1251: 'InternCache' replace synchronized with 'ReentrantLock'
- the cache size limit is no longer strictly enforced for performance reasons but we should never go far about the limit + #1252: 'ThreadLocalBufferManager' replace synchronized with 'ReentrantLock' + #1257: Increase InternCache default max size from 100 to 200 + #1262: Add diagnostic method 'pooledCount()' in 'RecyclerPool' + #1264: Rename shaded 'ch.randelshofer:fastdoubleparser' classes to prevent use by downstream consumers + #1271: Deprecate 'LockFreePool' implementation in 2.18 (remove from 3.0) + #1274: 'NUL'-corrupted keys, values on JSON serialization + #1277: Add back Java 22 optimisation in FastDoubleParser + #1284: Optimize 'JsonParser.getDoubleValue()/getFloatValue() /getDecimalValue()' to avoid String allocation + #1305: Make helper methods of 'WriterBasedJsonGenerator' non-final to allow overriding + #1310: Add new 'StreamReadConstraints' ('maxTokenCount') to limit maximum number of Tokens allowed per document# + #1331: Update to FastDoubleParser v1.0.1 to fix 'BigDecimal' decoding proble

Changes for jackson-databind:

- Update to 2.18.8
* Changes of 2.18.8 + #5950: Improve 'UUIDeserializer' error handling + #5951: Improve 'InetSocketAddress' deserialization (bsc#1268899, CVE-2026-54514) + #5969: '@JsonView' by-passed for some setterless creator properties + #5971: '@JsonView' by-passed for unwrapped creator parameters + #5974: '@JsonIgnore' on Record property ignored with 'PropertyNamingStrategy' + #5981: 'BasicPolymorphicTypeValidator' setting 'allowIfSubTypeIsArray()' should validate element type (bsc#1268898, CVE-2026-54513) + #5988: 'PolymorphicTypeValidator' needs to validate generic type parameters too (bsc#1268897, CVE-2026-54512) + #5993: 'UPPER_SNAKE_CASE' / 'LOWER_CASE' 'NamingStrategyImpls' fold case using JVM default locale (Turkish-I bug)
* Changes of 2.18.4 + #4628: '@JsonIgnore' and '@JsonProperty.access=READ_ONLY' on Record property ignored for deserialization + #5049: Duplicate creator property b (index 0 vs 1) on simple java record
* Changes of 2.18.3 + #4444: The 'KeyDeserializer' specified in the class with '@JsonDeserialize(keyUsing = ...)' is overwritten by the 'KeyDeserializer' specified in the 'ObjectMapper'.
+ #4827: Subclassed Throwable deserialization fails since v2.18.0 - no creator index for property 'cause' + #4844: Fix wrapped array handling wrt 'null' by 'StdDeserializer' + #4848: Avoid type pollution in 'StringCollectionDeserializer' + #4860: 'ConstructorDetector.USE_PROPERTIES_BASED' does not work with multiple constructors since 2.18 + #4878: When serializing a Map via Converter(StdDelegatingSerializer), a NullPointerException is thrown due to missing key serializer + #4908: Deserialization behavior change with @JsonCreator and @ConstructorProperties between 2.17 and 2.18 + #4917: 'BigDecimal' deserialization issue when using '@JsonCreator' + #4920: Creator properties are ignored on abstract types when collecting bean properties, breaking AsExternalTypeDeserializer + #4922: Failing '@JsonMerge' with a custom Map + #4932: Conversion of 'MissingNode' throws 'JsonProcessingException'
* Changes of 2.18.2 + #4733: Wrong serialization of Type Ids for certain types of Enum values + #4742: Deserialization with Builder, External type id, '@JsonCreator' failing + #4777: 'StdValueInstantiator.withArgsCreator' is now set for creators with no arguments + #4783 Possibly wrong behavior of @JsonMerge + #4787: Wrong 'String.format()' in 'StdDelegatingDeserializer' hides actual error + #4788: 'EnumFeature.WRITE_ENUMS_TO_LOWERCASE' overrides '@JsonProperty' values + #4790: Fix '@JsonAnySetter' issue with setter method (related to #4639) + #4807: Improve 'FactoryBasedEnumDeserializer' to work better with XML module + #4810: Deserialization using '@JsonCreator' with renamed property failing (since 2.18)
* Changes of 2.18.1 + #4508: Deserialized JsonAnySetter field in Kotlin data class is null + #4639: @JsonAnySetter on field ignoring unrecognized properties if they are declared before the last recognized properties in JSON + #4718: Should not fail on trying to serialize 'java.time.DateTimeException' + #4724: Deserialization behavior change with Records, '@JsonCreator' and '@JsonValue' between 2.17 and 2.18 + #4727: Eclipse having issues due'module-info' class lost on 2.18.0 jars + #4741: When 'Include.NON_DEFAULT' setting is used on POJO, empty values are not included in json if default is 'null' + #4749: Fixed a problem with 'StdDelegatingSerializer#serializeWithType' looking up the serializer with the wrong argument
* Changes of 2.18.0 + #562: Allow '@JsonAnySetter' to flow through Creators + #806: Problem with 'NamingStrategy', creator methods with implicit names + #2977: Incompatible 'FAIL_ON_MISSING_PRIMITIVE_PROPERTIES' and field level '@JsonProperty' + #3120: Return 'ListIterator' from 'ArrayNode.elements()' + #3241: 'constructorDetector' seems to invalidate 'defaultSetterInfo' for nullability + #3439: Java Record '@JsonAnySetter' value is null after deserialization + #4085: '@JsonView' does not work on class-level for records + #4119: Exception when deserialization uses a record with a constructor property with 'access=READ_ONLY' + #4356: 'BeanDeserializerModifier::updateBuilder()' doesn't work for beans with Creator methods + #4407: 'null' type id handling does not work with 'writeTypePrefix()' + #4452: '@JsonProperty' not serializing field names properly on '@JsonCreator' in Record + #4453: Allow JSON Integer to deserialize into a single-arg constructor of parameter type 'double' + #4456: Rework locking in 'DeserializerCache' + #4458: Rework synchronized block from 'BeanDeserializerBase' + #4464: When 'Include.NON_DEFAULT' setting is used, 'isEmpty()' method is not called on the serializer + #4472: Rework synchronized block in 'TypeDeserializerBase' + #4483: Remove 'final' on method BeanSerializer.serialize() + #4515: Rewrite Bean Property Introspection logic in Jackson 2.x + #4545: Unexpected deserialization behavior with '@JsonCreator', '@JsonProperty' and javac '-parameters' + #4570: Deprecate 'ObjectMapper.canDeserialize()'/'ObjectMapper .canSerialize()' + #4580: Add 'MapperFeature .SORT_CREATOR_PROPERTIES_BY_DECLARATION_ORDER' to use Creator properties' declaration order for sorting + #4584: Provide extension point for detecting primary Constructor for Kotlin (and similar) data classes + #4602: Possible wrong use of _arrayDelegateDeserializer in BeanDeserializerBase::deserializeFromObjectUsingNonDefault() + #4617: Record property serialization order not preserved + #4626: '@JsonIgnore' on Record property ignored for deserialization, if there is getter override + #4630: '@JsonIncludeProperties', '@JsonIgnoreProperties' ignored when serializing Records, if there is getter override + #4634: '@JsonAnySetter' not working when annotated on both constructor parameter & field + #4678: Java records don't serialize with 'MapperFeature .REQUIRE_SETTERS_FOR_GETTERS' + #4688: Should allow deserializing with no-arg '@JsonCreator(mode = DELEGATING)' + #4694: Deserializing 'BigDecimal' with large number of decimals result in incorrect value + #4699: Add extra 'writeNumber()' method in 'TokenBuffer' + #4709: Add 'JacksonCollectors' with 'toArrayNode()' implementation + Fix #5962: Case-insensitive deserialization may use wrong @JsonIgnoreProperties (bsc#1268902, CVE-2026-54515)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1268603

https://bugzilla.suse.com/1268897

https://bugzilla.suse.com/1268898

https://bugzilla.suse.com/1268899

https://bugzilla.suse.com/1268902

https://www.suse.com/security/cve/CVE-2026-54512

https://www.suse.com/security/cve/CVE-2026-54513

https://www.suse.com/security/cve/CVE-2026-54514

https://www.suse.com/security/cve/CVE-2026-54515

Plugin Details

Severity: High

ID: 325046

File Name: openSUSE-2026-21201-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 7/3/2026

Updated: 7/3/2026

Supported Sensors: Continuous Assessment, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 58.02

CVSS v2

Risk Factor: High

Base Score: 7.6

Temporal Score: 6

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-54513

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.3

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:novell:opensuse:16.0, p-cpe:/a:novell:opensuse:jackson-core, p-cpe:/a:novell:opensuse:jackson-databind-javadoc, p-cpe:/a:novell:opensuse:jackson-annotations, p-cpe:/a:novell:opensuse:jackson-core-javadoc, p-cpe:/a:novell:opensuse:jackson-annotations-javadoc, p-cpe:/a:novell:opensuse:jackson-databind

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/1/2026

Vulnerability Publication Date: 6/23/2026

Reference Information

CVE: CVE-2026-54512, CVE-2026-54513, CVE-2026-54514, CVE-2026-54515