RHSA-2019:2858: Important: OpenShift Container Platform 4.1.18 logging-elasticsearch5 security update

First published: Fri Sep 27 2019(Updated: )

Red Hat OpenShift Container Platform is Red Hat's cloud computing<br>Kubernetes application platform solution designed for on-premise or private<br>cloud deployments.<br>This advisory contains an update for both jackson-databind and guava in the logging-elasticsearch5 container image for Red Hat OpenShift Container Platform 4.1.18.<br>Security Fix(es):<br><li> jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper (CVE-2017-7525)</li> <li> jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) (CVE-2017-15095)</li> <li> jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485)</li> <li> jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis (CVE-2018-11307)</li> <li> jackson-databind: improper polymorphic deserialization of types from Jodd-db library (CVE-2018-12022)</li> <li> jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver (CVE-2018-12023)</li> <li> jackson-databind: arbitrary code execution in slf4j-ext class (CVE-2018-14718)</li> <li> jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes (CVE-2018-14719)</li> <li> jackson-databind: improper polymorphic deserialization in axis2-transport-jms class (CVE-2018-19360)</li> <li> jackson-databind: improper polymorphic deserialization in openjpa class (CVE-2018-19361)</li> <li> jackson-databind: improper polymorphic deserialization in jboss-common-core class (CVE-2018-19362)</li> <li> jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution (CVE-2019-12384)</li> <li> jackson-databind: default typing mishandling leading to remote code execution (CVE-2019-14379)</li> <li> jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and CVE-2017-17485) (CVE-2018-5968)</li> <li> jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries (CVE-2018-7489)</li> <li> guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service (CVE-2018-10237)</li> <li> jackson-databind: exfiltration/XXE in some JDK classes (CVE-2018-14720)</li> <li> jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class (CVE-2018-14721)</li> <li> jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server. (CVE-2019-12086)</li> <li> jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server via crafted JSON message. (CVE-2019-12814)</li> For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/redhat-errata
• source/Red Hat
• anchor-id/RHSA-2019:2858
• agent/description
• agent/event
• agent/first-publish-date
• agent/last-modified-date
• agent/references
• agent/remedy
• agent/severity
• agent/softwarecombine
• agent/tags
• agent/title
• agent/type
• agent/weakness