Security update for jackson-databind SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:0243-1 Final 1 1 2021-01-29T08:37:34Z current 2021-01-29T08:37:34Z 2021-01-29T08:37:34Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for jackson-databind This update for jackson-databind fixes the following issues: jackson-databind was updated to 2.10.5.1: * #2589: `DOMDeserializer`: setExpandEntityReferences(false) may not prevent external entity expansion in all cases (CVE-2020-25649, bsc#1177616) * #2787 (partial fix): NPE after add mixin for enum * #2679: 'ObjectMapper.readValue('123', Void.TYPE)' throws 'should never occur' The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container suse/manager/5.0/x86_64/server-attestation:latest-2021-243,Container suse/manager/5.0/x86_64/server:latest-2021-243,Container suse/multi-linux-manager/5.1/x86_64/server-attestation:latest-2021-243,Container suse/multi-linux-manager/5.1/x86_64/server:latest-2021-243,Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure-2021-243,Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM-2021-243,Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE-2021-243,Image SLES15-SP4-Manager-Server-4-3-2021-243,Image SLES15-SP4-Manager-Server-4-3-Azure-llc-2021-243,Image SLES15-SP4-Manager-Server-4-3-Azure-ltd-2021-243,Image SLES15-SP4-Manager-Server-4-3-BYOS-2021-243,Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure-2021-243,Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2-2021-243,Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE-2021-243,Image SLES15-SP4-Manager-Server-4-3-EC2-llc-2021-243,Image SLES15-SP4-Manager-Server-4-3-EC2-ltd-2021-243,Image server-attestation-image-2021-243,Image server-image-2021-243,SUSE-2021-243,SUSE-SLE-Module-Development-Tools-15-SP2-2021-243 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-20210243-1/ Link for SUSE-SU-2021:0243-1 https://lists.suse.com/pipermail/sle-security-updates/2021-January/008253.html E-Mail link for SUSE-SU-2021:0243-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1177616 SUSE Bug 1177616 https://bugzilla.suse.com/1180391 SUSE Bug 1180391 https://bugzilla.suse.com/1181118 SUSE Bug 1181118 https://www.suse.com/security/cve/CVE-2020-25649/ SUSE CVE CVE-2020-25649 page https://www.suse.com/security/cve/CVE-2020-35728/ SUSE CVE CVE-2020-35728 page https://www.suse.com/security/cve/CVE-2021-20190/ SUSE CVE CVE-2021-20190 page Container suse/manager/5.0/x86_64/server-attestation:latest Container suse/manager/5.0/x86_64/server:latest Container suse/multi-linux-manager/5.1/x86_64/server-attestation:latest Container suse/multi-linux-manager/5.1/x86_64/server:latest Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE Image SLES15-SP4-Manager-Server-4-3 Image SLES15-SP4-Manager-Server-4-3-Azure-llc Image SLES15-SP4-Manager-Server-4-3-Azure-ltd Image SLES15-SP4-Manager-Server-4-3-BYOS Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE Image SLES15-SP4-Manager-Server-4-3-EC2-llc Image SLES15-SP4-Manager-Server-4-3-EC2-ltd Image server-attestation-image Image server-image SUSE Linux Enterprise Module for Development Tools 15 SP2 jackson-databind-2.10.5.1-3.3.2 jackson-databind-javadoc-2.10.5.1-3.3.2 jackson-databind-2.10.5.1-3.3.2 as a component of Container suse/manager/5.0/x86_64/server-attestation:latest jackson-databind-2.10.5.1-3.3.2 as a component of Container suse/manager/5.0/x86_64/server:latest jackson-databind-2.10.5.1-3.3.2 as a component of Container suse/multi-linux-manager/5.1/x86_64/server-attestation:latest jackson-databind-2.10.5.1-3.3.2 as a component of Container suse/multi-linux-manager/5.1/x86_64/server:latest jackson-databind-2.10.5.1-3.3.2 as a component of Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure jackson-databind-2.10.5.1-3.3.2 as a component of Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM jackson-databind-2.10.5.1-3.3.2 as a component of Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE jackson-databind-2.10.5.1-3.3.2 as a component of Image SLES15-SP4-Manager-Server-4-3 jackson-databind-2.10.5.1-3.3.2 as a component of Image SLES15-SP4-Manager-Server-4-3-Azure-llc jackson-databind-2.10.5.1-3.3.2 as a component of Image SLES15-SP4-Manager-Server-4-3-Azure-ltd jackson-databind-2.10.5.1-3.3.2 as a component of Image SLES15-SP4-Manager-Server-4-3-BYOS jackson-databind-2.10.5.1-3.3.2 as a component of Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure jackson-databind-2.10.5.1-3.3.2 as a component of Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2 jackson-databind-2.10.5.1-3.3.2 as a component of Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE jackson-databind-2.10.5.1-3.3.2 as a component of Image SLES15-SP4-Manager-Server-4-3-EC2-llc jackson-databind-2.10.5.1-3.3.2 as a component of Image SLES15-SP4-Manager-Server-4-3-EC2-ltd jackson-databind-2.10.5.1-3.3.2 as a component of Image server-attestation-image jackson-databind-2.10.5.1-3.3.2 as a component of Image server-image jackson-databind-2.10.5.1-3.3.2 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP2 A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity. CVE-2020-25649 Container suse/manager/5.0/x86_64/server-attestation:latest:jackson-databind-2.10.5.1-3.3.2 Container suse/manager/5.0/x86_64/server:latest:jackson-databind-2.10.5.1-3.3.2 Container suse/multi-linux-manager/5.1/x86_64/server-attestation:latest:jackson-databind-2.10.5.1-3.3.2 Container suse/multi-linux-manager/5.1/x86_64/server:latest:jackson-databind-2.10.5.1-3.3.2 Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure:jackson-databind-2.10.5.1-3.3.2 Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM:jackson-databind-2.10.5.1-3.3.2 Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE:jackson-databind-2.10.5.1-3.3.2 Image SLES15-SP4-Manager-Server-4-3-Azure-llc:jackson-databind-2.10.5.1-3.3.2 Image SLES15-SP4-Manager-Server-4-3-Azure-ltd:jackson-databind-2.10.5.1-3.3.2 Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure:jackson-databind-2.10.5.1-3.3.2 Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2:jackson-databind-2.10.5.1-3.3.2 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE:jackson-databind-2.10.5.1-3.3.2 Image SLES15-SP4-Manager-Server-4-3-BYOS:jackson-databind-2.10.5.1-3.3.2 Image SLES15-SP4-Manager-Server-4-3-EC2-llc:jackson-databind-2.10.5.1-3.3.2 Image SLES15-SP4-Manager-Server-4-3-EC2-ltd:jackson-databind-2.10.5.1-3.3.2 Image SLES15-SP4-Manager-Server-4-3:jackson-databind-2.10.5.1-3.3.2 Image server-attestation-image:jackson-databind-2.10.5.1-3.3.2 Image server-image:jackson-databind-2.10.5.1-3.3.2 SUSE Linux Enterprise Module for Development Tools 15 SP2:jackson-databind-2.10.5.1-3.3.2 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20210243-1/ https://www.suse.com/security/cve/CVE-2020-25649.html CVE-2020-25649 https://bugzilla.suse.com/1177616 SUSE Bug 1177616 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl). CVE-2020-35728 Container suse/manager/5.0/x86_64/server-attestation:latest:jackson-databind-2.10.5.1-3.3.2 Container suse/manager/5.0/x86_64/server:latest:jackson-databind-2.10.5.1-3.3.2 Container suse/multi-linux-manager/5.1/x86_64/server-attestation:latest:jackson-databind-2.10.5.1-3.3.2 Container suse/multi-linux-manager/5.1/x86_64/server:latest:jackson-databind-2.10.5.1-3.3.2 Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure:jackson-databind-2.10.5.1-3.3.2 Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM:jackson-databind-2.10.5.1-3.3.2 Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE:jackson-databind-2.10.5.1-3.3.2 Image SLES15-SP4-Manager-Server-4-3-Azure-llc:jackson-databind-2.10.5.1-3.3.2 Image SLES15-SP4-Manager-Server-4-3-Azure-ltd:jackson-databind-2.10.5.1-3.3.2 Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure:jackson-databind-2.10.5.1-3.3.2 Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2:jackson-databind-2.10.5.1-3.3.2 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE:jackson-databind-2.10.5.1-3.3.2 Image SLES15-SP4-Manager-Server-4-3-BYOS:jackson-databind-2.10.5.1-3.3.2 Image SLES15-SP4-Manager-Server-4-3-EC2-llc:jackson-databind-2.10.5.1-3.3.2 Image SLES15-SP4-Manager-Server-4-3-EC2-ltd:jackson-databind-2.10.5.1-3.3.2 Image SLES15-SP4-Manager-Server-4-3:jackson-databind-2.10.5.1-3.3.2 Image server-attestation-image:jackson-databind-2.10.5.1-3.3.2 Image server-image:jackson-databind-2.10.5.1-3.3.2 SUSE Linux Enterprise Module for Development Tools 15 SP2:jackson-databind-2.10.5.1-3.3.2 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20210243-1/ https://www.suse.com/security/cve/CVE-2020-35728.html CVE-2020-35728 https://bugzilla.suse.com/1180391 SUSE Bug 1180391 A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CVE-2021-20190 Container suse/manager/5.0/x86_64/server-attestation:latest:jackson-databind-2.10.5.1-3.3.2 Container suse/manager/5.0/x86_64/server:latest:jackson-databind-2.10.5.1-3.3.2 Container suse/multi-linux-manager/5.1/x86_64/server-attestation:latest:jackson-databind-2.10.5.1-3.3.2 Container suse/multi-linux-manager/5.1/x86_64/server:latest:jackson-databind-2.10.5.1-3.3.2 Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure:jackson-databind-2.10.5.1-3.3.2 Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM:jackson-databind-2.10.5.1-3.3.2 Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE:jackson-databind-2.10.5.1-3.3.2 Image SLES15-SP4-Manager-Server-4-3-Azure-llc:jackson-databind-2.10.5.1-3.3.2 Image SLES15-SP4-Manager-Server-4-3-Azure-ltd:jackson-databind-2.10.5.1-3.3.2 Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure:jackson-databind-2.10.5.1-3.3.2 Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2:jackson-databind-2.10.5.1-3.3.2 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE:jackson-databind-2.10.5.1-3.3.2 Image SLES15-SP4-Manager-Server-4-3-BYOS:jackson-databind-2.10.5.1-3.3.2 Image SLES15-SP4-Manager-Server-4-3-EC2-llc:jackson-databind-2.10.5.1-3.3.2 Image SLES15-SP4-Manager-Server-4-3-EC2-ltd:jackson-databind-2.10.5.1-3.3.2 Image SLES15-SP4-Manager-Server-4-3:jackson-databind-2.10.5.1-3.3.2 Image server-attestation-image:jackson-databind-2.10.5.1-3.3.2 Image server-image:jackson-databind-2.10.5.1-3.3.2 SUSE Linux Enterprise Module for Development Tools 15 SP2:jackson-databind-2.10.5.1-3.3.2 moderate 8.3 AV:N/AC:M/Au:N/C:P/I:P/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20210243-1/ https://www.suse.com/security/cve/CVE-2021-20190.html CVE-2021-20190 https://bugzilla.suse.com/1181118 SUSE Bug 1181118