IBM Support

Security Bulletin: Multiple vulnerabilities in jackson-databind affect IBM Platform Symphony and IBM Spectrum Symphony

Security Bulletin


Summary

Multiple vulnerabilities exist in the Jackson databind, core, and annotations version used by IBM Spectrum Symphony V7.2.1, V7.2.0.2, and V7.1.2, and IBM Platform Symphony V7.1.1 and V7.1 Fix Pack 1. Interim fixes that provide instructions on upgrading the Jackson databind, core, and annotations package to version 2.9.10 (which resolves these vulnerabilities) are available on IBM Fix Central.

Vulnerability Details

CVEID:   CVE-2019-16335
DESCRIPTION:   A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/167205 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID:   CVE-2019-14379
DESCRIPTION:   SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/165286 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID:   CVE-2019-14439
DESCRIPTION:   A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/164744 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

IBM Spectrum Symphony 7.2.1
IBM Spectrum Symphony 7.2.0.2
IBM Spectrum Symphony 7.1.2
IBM Platform Symphony 7.1.1
IBM Platform Symphony 7.1 Fix Pack 1

Remediation/Fixes

Download the interim fixes that correspond to your product version from IBM Fix Central, then follow the steps in the accompanying readme to apply the interim fix on Linux x86_64 hosts in your cluster:
IBM Spectrum Symphony 7.2.1 sym-7.2.1-build531757
IBM Spectrum Symphony 7.2.0.2 sym-7.2.0.2-build531756
IBM Spectrum Symphony 7.1.2 sym-7.1.2-build531754
IBM Platform Symphony 7.1.1
IBM Platform Symphony 7.1 Fix Pack 1 sym-7.1-build531748

Workarounds and Mitigations

None.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

11 Nov 2019: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSGSMK","label":"Platform Symphony"},"Component":"SOAM","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2.1;7.2.0.2;7.1.2;7.1.1;7.1 Fix Pack 1","Edition":"7.2.1;7.2.0.2;7.1.2;7.1.1;7.1 Fix Pack 1","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
20 December 2019

UID

ibm11106763

Page Feedback