Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 695532 (CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439) - <dev-java/jackson-2.9.10: multiple vulnerabilities (CVE-2019-{12086,12384,12814,14379,14439})
Summary: <dev-java/jackson-2.9.10: multiple vulnerabilities (CVE-2019-{12086,12384,128...
Status: RESOLVED FIXED
Alias: CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~2 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-09-24 12:05 UTC by GLSAMaker/CVETool Bot
Modified: 2019-10-06 20:32 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-09-24 12:05:23 UTC
CVE-2019-12086 (https://nvd.nist.gov/vuln/detail/CVE-2019-12086):
  A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x
  before 2.9.9. When Default Typing is enabled (either globally or for a
  specific property) for an externally exposed JSON endpoint, the service has
  the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an
  attacker can host a crafted MySQL server reachable by the victim, an
  attacker can send a crafted JSON message that allows them to read arbitrary
  local files on the server. This occurs because of missing
  com.mysql.cj.jdbc.admin.MiniAdmin validation.

CVE-2019-12384 (https://nvd.nist.gov/vuln/detail/CVE-2019-12384):
  FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have
  a variety of impacts by leveraging failure to block the logback-core class
  from polymorphic deserialization. Depending on the classpath content, remote
  code execution may be possible.

CVE-2019-12814 (https://nvd.nist.gov/vuln/detail/CVE-2019-12814):
  A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x
  through 2.9.9. When Default Typing is enabled (either globally or for a
  specific property) for an externally exposed JSON endpoint and the service
  has JDOM 1.x or 2.x jar in the classpath, an attacker can send a
  specifically crafted JSON message that allows them to read arbitrary local
  files on the server.

CVE-2019-14379 (https://nvd.nist.gov/vuln/detail/CVE-2019-14379):
  SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2
  mishandles default typing when ehcache is used, leading to remote code
  execution.

CVE-2019-14439 (https://nvd.nist.gov/vuln/detail/CVE-2019-14439):
  A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x
  before 2.9.9.2. This occurs when Default Typing is enabled (either globally
  or for a specific property) for an externally exposed JSON endpoint and the
  service has the logback jar in the classpath.
Comment 1 Thomas Deutschmann gentoo-dev Security 2019-09-24 12:06:37 UTC
Package has no stable ebuild.

Package dev-java/jackson-annotations must be bumped at the same time.
Comment 2 Larry the Git Cow gentoo-dev 2019-09-25 17:26:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0ffaab87d35f7074a8fe82925f6f730a6aabfbb8

commit 0ffaab87d35f7074a8fe82925f6f730a6aabfbb8
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2019-09-25 17:25:43 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2019-09-25 17:26:14 +0000

    dev-java/jackson-2.8.5: removed obsolete (also cve)
    
    Bug: https://bugs.gentoo.org/695532
    Package-Manager: Portage-2.3.76, Repoman-2.3.17
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/jackson/Manifest             |  1 -
 dev-java/jackson/jackson-2.8.5.ebuild | 58 -----------------------------------
 2 files changed, 59 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0ffc08a8f196ff9600fba4c127804269534a2f55

commit 0ffc08a8f196ff9600fba4c127804269534a2f55
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2019-09-25 17:23:24 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2019-09-25 17:26:14 +0000

    dev-java/jackson-annotations-2.9.10: bump
    
    Bug: https://bugs.gentoo.org/695532
    Package-Manager: Portage-2.3.76, Repoman-2.3.17
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/jackson-annotations/Manifest              |  1 +
 .../jackson-annotations-2.9.10.ebuild              | 46 ++++++++++++++++++++++
 2 files changed, 47 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=571aeaecbaf3738fa9204aeb4a34de167da23021

commit 571aeaecbaf3738fa9204aeb4a34de167da23021
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2019-09-25 17:22:46 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2019-09-25 17:26:14 +0000

    dev-java/jackson-2.9.10: bump
    
    Bug: https://bugs.gentoo.org/695532
    Package-Manager: Portage-2.3.76, Repoman-2.3.17
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/jackson/Manifest              |  1 +
 dev-java/jackson/jackson-2.9.10.ebuild | 58 ++++++++++++++++++++++++++++++++++
 2 files changed, 59 insertions(+)
Comment 3 Thomas Deutschmann gentoo-dev Security 2019-10-06 20:32:11 UTC
Repository is clean, all done!