USN-4813-1: Jackson Databind vulnerabilities

15 March 2021

Several security issues were fixed in Jackson Databind.

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Releases

Ubuntu 16.04 ESM

Packages

jackson-databind - fast and powerful JSON library for Java -- data binding

Details

It was discovered that Jackson Databind incorrectly handled
deserialization. An attacker could possibly use this issue to obtain
sensitive information. (CVE-2018-11307, CVE-2019-12086, CVE-2019-12814)

It was discovered that Jackson Databind incorrectly handled
deserialization. An attacker could possibly use this issue to execute
arbitrary code or other unspecified impact. (CVE-2018-12022,
CVE-2018-12023, CVE-2018-14718, CVE-2018-14719, CVE-2018-19360,
CVE-2018-19361, CVE-2018-19362, CVE-2019-12384, CVE-2019-14379,
CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942,
CVE-2019-16943, CVE-2019-17267, CVE-2019-17531, CVE-2019-20330,
CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969,
CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619,
CVE-2020-11620, CVE-2020-14060, CVE-2020-14061, CVE-2020-14062,
CVE-2020-14195, CVE-2020-8840, CVE-2020-9546, CVE-2020-9547, CVE-2020-9548)

It was discovered that Jackson Databind incorrectly handled
deserialization. An attacker could possibly use this issue to execute XML
entity (XXE) attacks. (CVE-2018-14720)

It was discovered that Jackson Databind incorrectly handled
deserialization. An attacker could possibly use this issue to execute
server-side request forgery (SSRF). (CVE-2018-14721)

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04

libjackson2-databind-java - 2.4.2-3ubuntu0.1~esm2
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References

CVE-2019-14540
CVE-2020-10969
CVE-2020-10673
CVE-2020-11113
CVE-2019-12814
CVE-2020-11620
CVE-2020-8840
CVE-2020-14060
CVE-2019-20330
CVE-2020-9548
CVE-2020-10968
CVE-2019-17267
CVE-2020-14061
CVE-2020-10672
CVE-2020-11111
CVE-2018-14720
CVE-2018-11307
CVE-2019-16335
CVE-2018-19362
CVE-2019-12086
CVE-2019-14379
CVE-2019-12384
CVE-2020-11619
CVE-2018-19361
CVE-2018-19360
CVE-2018-14721
CVE-2020-14062
CVE-2019-16943
CVE-2019-16942
CVE-2019-17531
CVE-2018-12023
CVE-2018-14718
CVE-2020-14195
CVE-2020-9546
CVE-2020-9547
CVE-2019-14439
CVE-2020-11112
CVE-2018-12022
CVE-2018-14719

Join the discussion

Need help with your security needs?

Ubuntu Pro provides up to ten-year security coverage for over 23,000 open-source packages within the Ubuntu Main and Universe repositories.

Talk to an expert to find out what would work best for you

USN-4813-1: Jackson Databind vulnerabilities

Reduce your security exposure

Releases

Packages

Details

Reduce your security exposure

Update instructions

Ubuntu 16.04

References

Join the discussion

Need help with your security needs?

Further reading