Vulnerability CVE-2018-12023


Published: 2019-03-21

Description:
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

Type:

CWE-502

(Deserialization of Untrusted Data)

Vendor: Oracle
Product: Jd edwards enterpriseone orchestrator 
Version: 9.2;
Product: Jd edwards enterpriseone tools 
Version: 9.2;
Product: Financial services analytical applications infrastructure 
Version:
8.0.7
8.0.6
8.0.5
8.0.4
8.0.3
8.0.2
Product: Communications billing and revenue management 
Version: 7.5; 12.0;
Product: Retail xstore point of service 
Version:
7.1.7
7.0.7
6.5.12
17.0.2
16.0.4
15.0.2
Product: Retail open commerce platform 
Version:
6.0.1
6.0.0
5.3.0
Product: Banking platform 
Version:
2.6.2
2.6.1
2.6.0
2.5.0
Product: Rapid home provisioning 
Version: 18c;
Product: Primavera gateway 
Version:
17.12
16.2
15.2
Product: Primavera unifier 
Version:
16.2
16.1
15.2
15.1
Product: Retail retail invoice matching 
Version: 16.0; 15.0;
Product: Retail allocation 
Version: 16.0; 15.0;
Product: Retail assortment planning 
Version: 15.0;
Product: Retail merchandising system 
Version: 15.0;
Product: Enterprise manager for virtualization 
Version:
13.3.1
13.2.3
13.2.2
Product: Webcenter portal 
Version: 12.2.1.3.0;
Product: Identity manager 
Version: 12.2.1.3.0; 11.1.2.3.0;
Vendor: Fedoraproject
Product: Fedora 
Version: 29;
Vendor: Fasterxml
Product: Jackson-databind 
Version:
2.9.5
2.9.4
2.9.3
2.9.2
2.9.1
2.9.0
2.8.9
2.8.8.1
2.8.8
2.8.7
2.8.6
2.8.5
2.8.4
2.8.3
2.8.2
2.8.11.1
2.8.11
2.8.10
2.8.1
2.8.0
2.7.9.3
2.7.9.2
2.7.9.1
2.7.9
2.7.8
2.7.7
2.7.6
2.7.5
2.7.4
2.7.3
2.7.2
2.7.1-1
2.7.1
2.7.0

CVSS2 => (AV:N/AC:H/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5.1/10
6.4/10
4.9/10
Exploit range
Attack complexity
Authentication
Remote
High
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
http://www.securityfocus.com/bid/105659
https://access.redhat.com/errata/RHBA-2019:0959
https://access.redhat.com/errata/RHSA-2019:0782
https://access.redhat.com/errata/RHSA-2019:0877
https://access.redhat.com/errata/RHSA-2019:1106
https://access.redhat.com/errata/RHSA-2019:1107
https://access.redhat.com/errata/RHSA-2019:1108
https://access.redhat.com/errata/RHSA-2019:1140
https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a
https://github.com/FasterXML/jackson-databind/issues/2058
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZEDLDUYBSTDY4GWDBUXGJNS2RFYTFVRC/
https://seclists.org/bugtraq/2019/May/68
https://security.netapp.com/advisory/ntap-20190530-0003/
https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf
https://www.debian.org/security/2019/dsa-4452
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

Related CVE
CVE-2019-12814
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in ...
CVE-2019-12086
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java ja...
CVE-2018-12022
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in ...
CVE-2018-19362
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.
CVE-2018-19361
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.
CVE-2018-19360
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.
CVE-2018-14721
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
CVE-2018-14720
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

Copyright 2019, cxsecurity.com

 

Back to Top