ID

VAR-202203-1400

CVE

CVE-2020-36518

TITLE

jackson-databind  Out-of-bounds write vulnerability in

DESCRIPTION

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. jackson-databind Exists in an out-of-bounds write vulnerability.Service operation interruption (DoS) It may be in a state. Description: AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link (you must log in to download the update). Bugs fixed (https://bugzilla.redhat.com/): 1739497 - CVE-2019-10744 nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties 2028254 - CVE-2021-4040 AMQ Broker: Malformed message can result in partial DoS (OOM) 2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling 2063601 - CVE-2022-23913 artemis-commons: Apache ActiveMQ Artemis DoS 2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects 2075441 - CVE-2022-22968 Spring Framework: Data Binding Rules Vulnerability 2089406 - CVE-2022-1833 amq: AMQ Broker Operator ClusterWide Edit Permissions Due Token Exposure 5. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Bugs fixed (https://bugzilla.redhat.com/): 1923181 - CVE-2021-22132 elasticsearch: executing async search improperly stores HTTP headers leading to information disclosure 1925237 - CVE-2020-9492 hadoop: WebHDFS client might send SPNEGO authorization header 1934116 - CVE-2020-27223 jetty: request containing multiple Accept headers with a large number of "quality" parameters may lead to DoS 1935927 - CVE-2021-20289 resteasy: Error message exposes endpoint class information 1943189 - CVE-2021-22137 elasticsearch: Document disclosure flaw when Document or Field Level Security is used 1945710 - CVE-2021-28163 jetty: Symlink directory exposes webapp directory contents 1945712 - CVE-2021-28164 jetty: Ambiguous paths can access WEB-INF 1945714 - CVE-2021-28165 jetty: Resource exhaustion when receiving an invalid large TLS frame 1954559 - CVE-2021-3520 lz4: memory corruption due to an integer overflow bug caused by memmove argument 1977362 - CVE-2021-3629 undertow: potential security issue in flow control over HTTP/2 may lead to DOS 1995259 - CVE-2021-37714 jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck 2009041 - CVE-2021-38153 Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients 2011190 - CVE-2021-40690 xml-security: XPath Transform abuse allows for information disclosure 2020583 - CVE-2021-2471 mysql-connector-java: unauthorized access to critical 2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects 5. Solution: For OpenShift Container Platform 4.11 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update: https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html For Red Hat OpenShift Logging 5.5, see the following instructions to apply this update: https://docs.openshift.com/container-platform/4.11/logging/cluster-logging-upgrading.html 4. JIRA issues fixed (https://issues.jboss.org/): LOG-2860 - Error on LokiStack Components when forwarding logs to Loki on proxy cluster LOG-3131 - vector: kube API server certificate validation failure due to hostname mismatch LOG-3222 - [release-5.5] fluentd plugin for kafka ca-bundle secret doesn't support multiple CAs LOG-3226 - FluentdQueueLengthIncreasing rule failing to be evaluated. LOG-3284 - [release-5.5][Vector] logs parsed into structured when json is set without structured types. LOG-3287 - [release-5.5] Increase value of cluster-logging PriorityClass to move closer to system-cluster-critical value LOG-3301 - [release-5.5][ClusterLogging] elasticsearchStatus in ClusterLogging instance CR is not updated when Elasticsearch status is changed LOG-3305 - [release-5.5] Kibana Authentication Exception cookie issue LOG-3310 - [release-5.5] Can't choose correct CA ConfigMap Key when creating lokistack in Console LOG-3332 - [release-5.5] Reconcile error on controller when creating LokiStack with tls config 6. JIRA issues fixed (https://issues.jboss.org/): LOG-3293 - log-file-metric-exporter container has not limits exhausting the resources of the node 6. Description: Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. Bugs fixed (https://bugzilla.redhat.com/): 2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data 2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way 2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects 2087186 - CVE-2022-24823 netty: world readable temporary file containing sensitive data 2129809 - CVE-2022-36944 scala: deserialization gadget chain 2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS 2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays 2135770 - CVE-2022-40150 jettison: memory exhaustion via user-supplied XML or JSON data 2135771 - CVE-2022-40149 jettison: parser crash by stackoverflow 2154086 - CVE-2021-0341 okhttp: information disclosure via improperly used cryptographic function 2169845 - CVE-2023-0833 Red Hat A-MQ Streams: component version with information disclosure flaw 2185707 - CVE-2021-46877 jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode 2188542 - CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) 5. JIRA issues fixed (https://issues.jboss.org/): ENTMQST-4107 - [KAFKA] MM2 connector task stopped and didn?t result in failed state ENTMQST-4541 - [PROD] Create RHSA erratum for Streams 2.4.0 6. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: jackson security update Advisory ID: RHSA-2023:2312-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2023:2312 Issue date: 2023-05-09 CVE Names: CVE-2020-36518 ==================================================================== 1. Summary: An update for jackson-annotations, jackson-core, jackson-databind, jackson-jaxrs-providers, and jackson-modules-base is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 9) - noarch 3. Description: Jackson is a suite of data-processing tools for Java, including the flagship streaming JSON parser / generator library, matching data-binding library, and additional modules to process data encoded in various other data formats. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.2 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: jackson-annotations-2.14.1-1.el9.src.rpm jackson-core-2.14.1-2.el9.src.rpm jackson-databind-2.14.1-2.el9.src.rpm jackson-jaxrs-providers-2.14.1-2.el9.src.rpm jackson-modules-base-2.14.1-2.el9.src.rpm noarch: pki-jackson-annotations-2.14.1-1.el9.noarch.rpm pki-jackson-core-2.14.1-2.el9.noarch.rpm pki-jackson-databind-2.14.1-2.el9.noarch.rpm pki-jackson-jaxrs-json-provider-2.14.1-2.el9.noarch.rpm pki-jackson-jaxrs-providers-2.14.1-2.el9.noarch.rpm pki-jackson-module-jaxb-annotations-2.14.1-2.el9.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-36518 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZFo1ONzjgjWX9erEAQhQXA//RhJAsKLGfyB+T7HQRwsWYj9OoKCzMCkc ScXoI5eI1LYKZijOPfLHj63Zp/DO+pAJLCaHdb+S+OKRddCSsHRQPw4x0tBWNPPW FBcrbxITZEbyW3WWe7BSE9/HK0ckojEJIaxmBYTsRc8zErXMmPLKGAwODWC0ohjs 8RGmfV5Cj8OzhprS0MWKrbydlv/kUzr/vayM870hRGIwg1+vE3owWYLGN8ZAwqcs 3J/N3OMheZiUk3MxPCkk92sJmpuEmGQrPPL2+I5/lXMRo4SEq3sairxkAwER10i1 kXxF8aFwgHYv5oaD06B+PuIFEQ26Clc97oMMbYBEFDYVGa5pIPNZ0dG16QPO9HLT Co0oFQ/y77HrzmM5FCUI6Zlgt8fccvc2Cg4VGG473zTAkQ0JvsZtbIjH4PVfoMp8 5Rrvk2YZJCTKdjB+7RkgnTZBQ8Xar1XwMBTQ1Zq6Z1b+ERTc8s+ihIOjD86cd+J7 TLPf/fDiy6arGI13lCa81Ssyg2iWOzySHUEag0Fs1eYKWMSoKMuSuywH7e0hjFKG +AqSml6lTxNvwGZ13ieMGslOGRFk01GR6R2BbwnDicXXhqv1O2kuaDenf9HQBteR KsTKBi7dBqdoHwGBpVb8gRxntlKQQKsKv1wpA+A2yDFu4umBxcUoZ9fT2WnI12UH cvdlmKHSc9E=W5RJ -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

TYPE

overflow

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Red Hat

SOURCES

LAST UPDATE DATE

2024-12-21T19:44:53.492000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE