First published: Thu May 06 2021(Updated: )
Openshift Logging Bug Fix Release (5.0.3)<br>Security Fix(es):<br><li> jackson-databind: arbitrary code execution in slf4j-ext class</li> (CVE-2018-14718)<br><li> jackson-databind: arbitrary code execution in blaze-ds-opt and</li> blaze-ds-core classes (CVE-2018-14719)<br><li> jackson-databind: improper polymorphic deserialization in</li> axis2-transport-jms class (CVE-2018-19360)<br><li> jackson-databind: improper polymorphic deserialization in openjpa class</li> (CVE-2018-19361)<br><li> jackson-databind: improper polymorphic deserialization in</li> jboss-common-core class (CVE-2018-19362)<br><li> jackson-databind: default typing mishandling leading to remote code</li> execution (CVE-2019-14379)<br><li> jackson-databind: Serialization gadgets in</li> com.pastdev.httpcomponents.configuration.JndiConfiguration (CVE-2020-24750)<br><li> jackson-databind: mishandles the interaction between serialization</li> gadgets and typing, related to<br>org.apache.commons.dbcp2.datasources.PerUserPoolDataSource (CVE-2020-35490)<br><li> jackson-databind: mishandles the interaction between serialization</li> gadgets and typing, related to<br>org.apache.commons.dbcp2.datasources.SharedPoolDataSource (CVE-2020-35491)<br><li> jackson-databind: mishandles the interaction between serialization</li> gadgets and typing, related to<br>com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool<br>(CVE-2020-35728)<br><li> jackson-databind: mishandles the interaction between serialization</li> gadgets and typing, related to<br>oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS (CVE-2020-36179)<br><li> jackson-databind: mishandles the interaction between serialization</li> gadgets and typing, related to<br>org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS (CVE-2020-36180)<br><li> jackson-databind: mishandles the interaction between serialization</li> gadgets and typing, related to<br>org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS (CVE-2020-36181)<br><li> jackson-databind: mishandles the interaction between serialization</li> gadgets and typing, related to<br>org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS (CVE-2020-36182)<br><li> jackson-databind: mishandles the interaction between serialization</li> gadgets and typing, related to<br>org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool (CVE-2020-36183)<br><li> jackson-databind: mishandles the interaction between serialization</li> gadgets and typing, related to<br>org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource<br>(CVE-2020-36184)<br><li> jackson-databind: mishandles the interaction between serialization</li> gadgets and typing, related to<br>org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource<br>(CVE-2020-36185)<br><li> jackson-databind: mishandles the interaction between serialization</li> gadgets and typing, related to<br>org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource<br>(CVE-2020-36186)<br><li> jackson-databind: mishandles the interaction between serialization</li> gadgets and typing, related to<br>org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource<br>(CVE-2020-36187)<br><li> jackson-databind: mishandles the interaction between serialization</li> gadgets and typing, related to<br>com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource<br>(CVE-2020-36188)<br><li> jackson-databind: mishandles the interaction between serialization</li> gadgets and typing, related to<br>com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSourc<br>e (CVE-2020-36189)<br><li> jackson-databind: mishandles the interaction between serialization</li> gadgets and typing, related to javax.swing (CVE-2021-20190)<br><li> jackson-databind: exfiltration/XXE in some JDK classes (CVE-2018-14720)</li> <li> jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class</li> (CVE-2018-14721)<br><li> golang: data race in certain net/http servers including ReverseProxy can lead to DoS (CVE-2020-15586)</li> <li> golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs (CVE-2020-16845)</li> For more details about the security issue(s), including the impact, a CVSS<br>score, acknowledgments, and other related information, refer to the CVE<br>page(s) listed in the References section.
Affected Software | Affected Version | How to fix |
---|
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.