IBM Support

Security Bulletin: IBM Maximo Asset Management is vulnerable to Multiple Jackson-Databind CVEs - February 2020

Security Bulletin


Summary

Security Bulletin: IBM Maximo Asset Management is vulnerable to Multiple Jackson-Databind CVEs - February 2020

Vulnerability Details

CVEID:   CVE-2019-17267
DESCRIPTION:   FasterXML jackson-databind could provide weaker than expected security, caused by a polymorphic typing issue in the net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. A remote attacker could exploit this vulnerability to launch further attacks on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/168514 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:   CVE-2019-12814
DESCRIPTION:   FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a polymorphic typing issue. By sending a specially-crafted JSON message, an attacker could exploit this vulnerability to read arbitrary local files on the server.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/162875 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:   CVE-2017-7525
DESCRIPTION:   Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a deserialization flaw within the Jackson JSON library in the readValue method of the ObjectMapper. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/134639 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2017-17485
DESCRIPTION:   Jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the default-typing feature. An attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/137340 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2018-19362
DESCRIPTION:   An unspecified error with failure to block the jboss-common-core class from polymorphic deserialization in FasterXML jackson-databind has an unknown impact and attack vector.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/155093 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:   CVE-2018-19361
DESCRIPTION:   An unspecified error with failure to block the openjpa class from polymorphic deserialization in FasterXML jackson-databind has an unknown impact and attack vector.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/155092 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:   CVE-2018-19360
DESCRIPTION:   An unspecified error with failure to block the axis2-transport-jms class from polymorphic deserialization in FasterXML jackson-databind has an unknown impact and attack vector.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/155091 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:   CVE-2018-14721
DESCRIPTION:   FasterXML jackson-databind is vulnerable to server-side request forgery, caused by the failure to block the axis2-jaxws class from polymorphic deserialization. A remote authenticated attacker could exploit this vulnerability to obtain sensitive data.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/155136 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:   CVE-2018-7489
DESCRIPTION:   FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a deserialization flaw in the readValue method of the ObjectMapper. By sending specially crafted JSON input, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/139549 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:   CVE-2018-5968
DESCRIPTION:   FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by deserialization flaws. By using two different gadgets that bypass a blacklist, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/138088 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:   CVE-2017-15095
DESCRIPTION:   Jackson Library could allow a remote attacker to execute arbitrary code on the system, caused by a deserialization flaw in the readValue() method of the ObjectMapper. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/135123 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2018-12023
DESCRIPTION:   An unspecified vulnerability in multiple Oracle products could allow an unauthenticated attacker to take control of the system.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/151425 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

This vulnerability affects the following versions of the IBM Maximo Asset Management core product.  Older versions of Maximo Asset Management may be impacted. The recommended action is to update to the latest version.

Maximo Asset Management core product versions affected:

Affected Product(s) Version(s)
IBM Maximo Asset Management 7.6.0
IBM Maximo Asset Management 7.6.1

Industry Solutions products affected if using an affected core version:
Maximo for Aviation
Maximo for Life Sciences
Maximo for Nuclear Power
Maximo for Oil and Gas
Maximo for Transportation
Maximo for Utilities

IBM Control Desk products affected if using an affected core version:
SmartCloud Control Desk
IBM Control Desk
Tivoli Integration Composer

* To determine the core product version, log in and view System Information. The core product version is the "Tivoli's process automation engine" version. Please consult the Product Coexistence Matrix for a list of supported product combinations.

Remediation/Fixes

The recommended solution is to download the appropriate Interim Fix or Fix Pack from Fix Central (What is Fix Central?) and apply for each affected product as soon as possible. Please see below for information on the fixes available for each product, version, and release. Follow the installation instructions in the ‘readme’ documentation provided with each fix pack or interim fix.

For Maximo Asset Management 7.6:

VRM Fix Pack, Feature Pack, or Interim Fix Download
7.6.1.2 Maximo Asset Management 7.6.1.2 Feature Pack:
7.6.1.2-TIV-MAMMT-FP002 or latest Interim Fix available
FixCentral

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Off

Change History

16 Sep 2020: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document Location

Worldwide

[{"Line of Business":{"code":"LOB02","label":"AI Applications"},"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Product":{"code":"SSLKT6","label":"Maximo Asset Management"},"ARM Category":[{"code":"a8m0z000000cvcNAAQ","label":"Security"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.0;7.6.1"},{"Business Unit":{"code":"BU005","label":"IoT"},"Product":{"code":"SSLKZS","label":"Maximo Calibration"},"Component":"Security","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6","Edition":""},{"Business Unit":{"code":"BU005","label":"IoT"},"Product":{"code":"SSQPHC","label":"Maximo Asset Management Scheduler Plus"},"Component":"Security","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.7.3, 7.6.7.1, 7.6.7","Edition":""},{"Business Unit":{"code":"BU005","label":"IoT"},"Product":{"code":"SSLKYL","label":"Maximo Enterprise Adapter"},"Component":"Security","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.1, 7.6","Edition":""},{"Business Unit":{"code":"BU005","label":"IoT"},"Product":{"code":"SSXQ46","label":"IBM Maximo APM - Asset Health Insights"},"Component":"Security","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.1.1, 7.6.1","Edition":""},{"Business Unit":{"code":"BU005","label":"IoT"},"Product":{"code":"SSQHAB","label":"Tivoli Integration Composer"},"Component":"Security","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6","Edition":""},{"Business Unit":{"code":"BU005","label":"IoT"},"Product":{"code":"SSLL9Z","label":"Maximo for Transportation"},"Component":"Security","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.2.5, 7.6.2.4, 7.6.2.3","Edition":""},{"Business Unit":{"code":"BU005","label":"IoT"},"Product":{"code":"SSLL8M","label":"Maximo for Nuclear Power"},"Component":"Security","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.1","Edition":""},{"Business Unit":{"code":"BU005","label":"IoT"},"Product":{"code":"SS3AXP","label":"Maximo Linear Asset Manager"},"Component":"Security","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.0.3, 7.6.0.2, 7.6.0.","Edition":""},{"Line of Business":{"code":"","label":""},"Business Unit":{"code":"","label":""},"Product":{"code":"SS5M2U","label":"IBM Maximo APM - Equipment Maintenance Assistant On-Premises"},"ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"},{"Business Unit":{"code":"BU005","label":"IoT"},"Product":{"code":"SS9NUN","label":"Maximo Asset Management Scheduler"},"Component":"Security","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.7.3, 7.6.7.1, 7.6.7","Edition":""},{"Business Unit":{"code":"BU005","label":"IoT"},"Product":{"code":"SSSKYY","label":"IBM Maximo Network on Blockchain"},"Component":"Security","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.0.1, 7.6.0.0","Edition":""},{"Business Unit":{"code":"BU005","label":"IoT"},"Product":{"code":"SSKVFR","label":"Maximo for Service Providers"},"Component":"Security","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.3.3, 7.6.3.2, 7.6.3.1","Edition":""},{"Business Unit":{"code":"BU005","label":"IoT"},"Product":{"code":"SSLLAM","label":"Maximo for Utilities"},"Component":"Security","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.0.2, 7.6.0.1","Edition":""},{"Business Unit":{"code":"BU005","label":"IoT"},"Product":{"code":"SS5RRF","label":"IBM Maximo for Aviation"},"Component":"Security","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.8, 7.6.7, 7.6.6","Edition":""},{"Business Unit":{"code":"BU005","label":"IoT"},"Product":{"code":"SSLL9G","label":"Maximo for Oil and Gas"},"Component":"Security","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.1","Edition":""},{"Business Unit":{"code":"BU005","label":"IoT"},"Product":{"code":"SSLKSJ","label":"Maximo Asset Configuration Manager"},"Component":"Security","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.7.1, 7.6.7, 7.6.6","Edition":""},{"Business Unit":{"code":"BU004","label":"Hybrid Cloud"},"Product":{"code":"SSWT9A","label":"Control Desk"},"Component":"Security","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.1.1, 7.6.1","Edition":""},{"Business Unit":{"code":"BU005","label":"IoT"},"Product":{"code":"SSG2D3","label":"Maximo Spatial Asset Management"},"Component":"Security","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.0.5, 7.6.0.4, 7.6.0.3, 7.6.0.2","Edition":""},{"Business Unit":{"code":"BU005","label":"IoT"},"Product":{"code":"SSLL84","label":"Maximo for Life Sciences"},"Component":"Security","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6","Edition":""}]

Document Information

Modified date:
05 October 2020

UID

ibm16340251