CVE-2018-14718

Published: Jan 2, 2019Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.

Affected (57)

Products: Fasterxml: Jackson Databind · Debian: Debian Linux · Oracle: Banking Platform, Business Process Management Suite, Communications Billing And Revenue Management, Communications Instant Messaging Server, Enterprise Manager For Virtualization, Financial Services Analytical Applications Infrastructure, Global Lifecycle Management Opatch, Jd Edwards Enterpriseone Orchestrator, Jd Edwards Enterpriseone Tools, Jdeveloper, Nosql Database, Primavera P6 Enterprise Project Portfolio Management, Primavera Unifier, Retail Customer Management And Segmentation Foundation, Retail Merchandising System, Retail Workforce Management Software, Siebel Engineering Installer & Deployment, Siebel Ui Framework, Webcenter Portal · +2 more

Show all products

Fasterxml: Jackson Databind · Debian: Debian Linux · Oracle: Banking Platform, Business Process Management Suite, Communications Billing And Revenue Management, Communications Instant Messaging Server, Enterprise Manager For Virtualization, Financial Services Analytical Applications Infrastructure, Global Lifecycle Management Opatch, Jd Edwards Enterpriseone Orchestrator, Jd Edwards Enterpriseone Tools, Jdeveloper, Nosql Database, Primavera P6 Enterprise Project Portfolio Management, Primavera Unifier, Retail Customer Management And Segmentation Foundation, Retail Merchandising System, Retail Workforce Management Software, Siebel Engineering Installer & Deployment, Siebel Ui Framework, Webcenter Portal · Netapp: Oncommand Workflow Automation, Snapcenter, Steelstore Cloud Integrated Storage · Redhat: Openshift Container Platform

1 product

1 product

19 products

Business Process Management Suite

Communications Billing And Revenue Management

Communications Instant Messaging Server

Enterprise Manager For Virtualization

Financial Services Analytical Applications Infrastructure

Global Lifecycle Management Opatch

Jd Edwards Enterpriseone Orchestrator

Jd Edwards Enterpriseone Tools

Jdeveloper

Nosql Database

Primavera P6 Enterprise Project Portfolio Management

Primavera Unifier

Retail Customer Management And Segmentation Foundation

Retail Merchandising System

Retail Workforce Management Software

Siebel Engineering Installer & Deployment

Siebel Ui Framework

Webcenter Portal

Netapp

3 products

Oncommand Workflow Automation

Snapcenter

Steelstore Cloud Integrated Storage

Redhat

1 product

Openshift Container Platform

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Fasterxml Jackson Databind	From 2.0.0 to 2.6.7.3
Fasterxml Jackson Databind	From 2.7.0 to 2.7.9.5
Fasterxml Jackson Databind	From 2.8.0 to 2.8.11.3
Fasterxml Jackson Databind	From 2.9.0 to 2.9.7

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 8.0
Debian Debian Linux	Version 9.0

Configuration C

44 vulnerable

Vulnerable Software	Affected Versions
Oracle Banking Platform	Version 2.5.0
Oracle Banking Platform	Version 2.6.0
Oracle Banking Platform	Version 2.6.1
Oracle Banking Platform	Version 2.6.2
Oracle Business Process Management Suite	Version 12.1.3.0.0
Oracle Business Process Management Suite	Version 12.2.1.3.0
Oracle Communications Billing And Revenue Management	Version 12.0
Oracle Communications Billing And Revenue Management	Version 7.5
Oracle Communications Instant Messaging Server	Version 10.0.1.3.0
Oracle Enterprise Manager For Virtualization	Version 13.2.2
Oracle Enterprise Manager For Virtualization	Version 13.2.3
Oracle Enterprise Manager For Virtualization	Version 13.3.1
Oracle Financial Services Analytical Applications Infrastructure	Version 8.0.2
Oracle Financial Services Analytical Applications Infrastructure	Version 8.0.3
Oracle Financial Services Analytical Applications Infrastructure	Version 8.0.4
Oracle Financial Services Analytical Applications Infrastructure	Version 8.0.5
Oracle Financial Services Analytical Applications Infrastructure	Version 8.0.6
Oracle Financial Services Analytical Applications Infrastructure	Version 8.0.7
Oracle Global Lifecycle Management Opatch	Before 11.2.0.3.23
Oracle Global Lifecycle Management Opatch	From 12.2.0.1.0 to 12.2.0.1.19
Oracle Global Lifecycle Management Opatch	From 13.9.4.0.0 to 13.9.4.2.1
Oracle Jd Edwards Enterpriseone Orchestrator	Version 9.2
Oracle Jd Edwards Enterpriseone Tools	Version 9.2
Oracle Jdeveloper	Version 12.1.3.0.0
Oracle Jdeveloper	Version 12.2.1.3.0
Oracle Nosql Database	Before 19.3.12
Oracle Nosql Database	Version 19.3.12
Oracle Primavera P6 Enterprise Project Portfolio Management	From 17.7 to 17.12
Oracle Primavera P6 Enterprise Project Portfolio Management	Version 15.1
Oracle Primavera P6 Enterprise Project Portfolio Management	Version 15.2
Oracle Primavera P6 Enterprise Project Portfolio Management	Version 16.1
Oracle Primavera P6 Enterprise Project Portfolio Management	Version 16.2
Oracle Primavera P6 Enterprise Project Portfolio Management	Version 18.8
Oracle Primavera Unifier	From 17.7 to 17.12
Oracle Primavera Unifier	Version 16.1
Oracle Primavera Unifier	Version 16.2
Oracle Primavera Unifier	Version 18.8
Oracle Retail Customer Management And Segmentation Foundation	Version 17.0
Oracle Retail Merchandising System	Version 15.0
Oracle Retail Merchandising System	Version 16.0
Oracle Retail Workforce Management Software	Version 1.60.9.0.0
Oracle Siebel Engineering Installer & Deployment	Up to 19.8
Oracle Siebel Ui Framework	Up to 19.10
Oracle Webcenter Portal	Version 12.2.1.3.0

Configuration D

3 vulnerable

Vulnerable Software	Affected Versions
Netapp Oncommand Workflow Automation	All versions
Netapp Snapcenter	All versions
Netapp Steelstore Cloud Integrated Storage	All versions

Configuration E

3 vulnerable

Vulnerable Software	Affected Versions
Redhat Openshift Container Platform	From 3.11 to 3.11.153
Redhat Openshift Container Platform	From 4.6 to 4.6.26
Redhat Openshift Container Platform	Version 3.10

Configuration F

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Redhat Openshift Container Platform	From 4.1 to 4.1.18

Running on/with	Platform Versions
Redhat Enterprise Linux	Version 7.0

Related CWEs

CWE-502

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (70)

http://www.securityfocus.com/bid/106601

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

https://access.redhat.com/errata/RHBA-2019:0959

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:0782

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:0877

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:1782

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:1797

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:1822

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:1823

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:2804

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:2858

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:3002

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:3140

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:3149

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:3892

Source: cve@mitre.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:4037

Source: cve@mitre.org

Third Party Advisory

https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/FasterXML/jackson-databind/issues/2097

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7

Source: cve@mitre.org

PatchRelease NotesThird Party Advisory

https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/6a78f88716c3c57aa74ec05764a37ab3874769a347805903b393b286%40%3Cdev.lucene.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/82b01bfb6787097427ce97cec6a7127e93718bc05d1efd5eaffc228f%40%3Cdev.lucene.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/ba973114605d936be276ee6ce09dfbdbf78aa56f6cdc6e79bfa7b8df%40%3Cdev.lucene.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1%40%3Ccommits.druid.apache.org%3E

Source: cve@mitre.org

https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://seclists.org/bugtraq/2019/May/68

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://security.netapp.com/advisory/ntap-20190530-0003/

Source: cve@mitre.org

Third Party Advisory

https://www.debian.org/security/2019/dsa-4452

Source: cve@mitre.org

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2020.html

Source: cve@mitre.org

Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2020.html

Source: cve@mitre.org

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2020.html

Source: cve@mitre.org

Third Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Source: cve@mitre.org

PatchThird Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Source: cve@mitre.org

PatchThird Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Source: cve@mitre.org

PatchThird Party Advisory

http://www.securityfocus.com/bid/106601