An update for jackson-databind is now available for openEuler-20.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2021-1051 Final 1.0 1.0 2021-03-05 Initial 2021-03-05 2021-03-05 openEuler SA Tool V1.0 2021-03-05 jackson-databind security update An update for jackson-databind is now available for openEuler-20.03-LTS-SP1. The general-purpose data-binding functionality and tree-model for Jackson Data Processor. It builds on core streaming parser/generator package, and uses Jackson Annotations for configuration. Security Fix(es): FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.(CVE-2020-36182) FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.(CVE-2020-36183) FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.(CVE-2020-36187) FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.(CVE-2020-36181) FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.(CVE-2020-36186) FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.(CVE-2020-36180) FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.(CVE-2020-36188) FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.(CVE-2020-36184) FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.(CVE-2020-36179) FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.(CVE-2020-36189) A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2021-20190) An update for jackson-databind is now available for openEuler-20.03-LTS-SP1. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High jackson-databind https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1051 https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-36182 https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-36183 https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-36187 https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-36181 https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-36186 https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-36180 https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-36188 https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-36184 https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-36179 https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-36189 https://openeuler.org/en/security/cve/detail.html?id=CVE-2021-20190 https://nvd.nist.gov/vuln/detail/CVE-2020-36182 https://nvd.nist.gov/vuln/detail/CVE-2020-36183 https://nvd.nist.gov/vuln/detail/CVE-2020-36187 https://nvd.nist.gov/vuln/detail/CVE-2020-36181 https://nvd.nist.gov/vuln/detail/CVE-2020-36186 https://nvd.nist.gov/vuln/detail/CVE-2020-36180 https://nvd.nist.gov/vuln/detail/CVE-2020-36188 https://nvd.nist.gov/vuln/detail/CVE-2020-36184 https://nvd.nist.gov/vuln/detail/CVE-2020-36179 https://nvd.nist.gov/vuln/detail/CVE-2020-36189 https://nvd.nist.gov/vuln/detail/CVE-2021-20190 openEuler-20.03-LTS-SP1 jackson-databind-2.9.8-7.oe1.noarch.rpm jackson-databind-javadoc-2.9.8-7.oe1.noarch.rpm jackson-databind-2.9.8-7.oe1.src.rpm FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS. 2021-03-05 CVE-2020-36182 openEuler-20.03-LTS-SP1 High 8.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H jackson-databind security update 2021-03-05 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1051 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool. 2021-03-05 CVE-2020-36183 openEuler-20.03-LTS-SP1 High 8.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H jackson-databind security update 2021-03-05 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1051 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource. 2021-03-05 CVE-2020-36187 openEuler-20.03-LTS-SP1 High 8.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H jackson-databind security update 2021-03-05 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1051 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS. 2021-03-05 CVE-2020-36181 openEuler-20.03-LTS-SP1 High 8.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H jackson-databind security update 2021-03-05 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1051 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource. 2021-03-05 CVE-2020-36186 openEuler-20.03-LTS-SP1 High 8.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H jackson-databind security update 2021-03-05 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1051 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS. 2021-03-05 CVE-2020-36180 openEuler-20.03-LTS-SP1 High 8.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H jackson-databind security update 2021-03-05 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1051 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource. 2021-03-05 CVE-2020-36188 openEuler-20.03-LTS-SP1 High 8.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H jackson-databind security update 2021-03-05 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1051 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource. 2021-03-05 CVE-2020-36184 openEuler-20.03-LTS-SP1 High 8.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H jackson-databind security update 2021-03-05 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1051 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS. 2021-03-05 CVE-2020-36179 openEuler-20.03-LTS-SP1 High 8.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H jackson-databind security update 2021-03-05 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1051 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource. 2021-03-05 CVE-2020-36189 openEuler-20.03-LTS-SP1 High 8.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H jackson-databind security update 2021-03-05 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1051 A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. 2021-03-05 CVE-2021-20190 openEuler-20.03-LTS-SP1 High 8.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H jackson-databind security update 2021-03-05 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1051