IBM Support

Security Bulletin: Multiple vulnerabilities in jackson-databind affect IBM Platform Symphony and IBM Spectrum Symphony

Created by Xing Fang on
Published URL:
https://www.ibm.com/support/pages/node/888039
888039

Security Bulletin


Summary

Multiple vulnerabilities exist in the Jackson databind, core, and annotations version used by IBM Spectrum Symphony 7.2.1, 7.2.0.2, and 7.1.2, and IBM Platform Symphony 7.1.1 and 7.1 Fix Pack 1. Interim fixes that provide instructions on upgrading Jackson databind, core, and annotations to version 2.9.8 (which resolves these vulnerabilities) are available on IBM Fix Central.

Vulnerability Details

CVEID: CVE-2018-14721
DESCRIPTION: FasterXML jackson-databind is vulnerable to server-side request forgery, caused by the failure to block the axis2-jaxws class from polymorphic deserialization. A remote authenticated attacker could exploit this vulnerability to obtain sensitive data.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/155136 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2018-14720
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by an XML external entity (XXE) error when processing XML data by JDK classes. By sending a specially-crafted XML data. A remote attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/155137 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2018-14718
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by the failure to block the slf4j-ext class from polymorphic deserialization. An attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/155139 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-14719
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by the failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization. An attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/155138 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM Spectrum Symphony 7.2.1, 7.2.0.2, and 7.1.2

IBM Platform Symphony 7.1.1 and 7.1 Fix Pack 1

Remediation/Fixes

Download the interim fixes that correspond to your product version from IBM Fix Central, then follow the steps in the accompanying readme to apply the interim fix on Linux x86_64 hosts in your cluster:

IBM Spectrum Symphony 7.2.1 (x86_64) sym-7.2.1-build521112
IBM Spectrum Symphony 7.2.0.2 (x86_64) sym-7.2.0.2-build521104
IBM Spectrum Symphony 7.1.2 (x86_64) sym-7.1.2-build521103
IBM Platform Symphony 7.1.1 (x86_64)
IBM Platform Symphony 7.1 Fix Pack 1 (x86_64) sym-7.1-build521096

Workarounds and Mitigations

None.

Get Notified about Future Security Bulletins

References

Off

Change History

June 18, 2019: Original version.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSZUMP","label":"IBM Spectrum Symphony"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1.2, 7.2.0.2, 7.2.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSGSMK","label":"Platform Symphony"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1 Fix Pack 1, 7.1.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
19 June 2019

UID

ibm10888039