CVE-2019-14892: jackson-databind Deserialization Vulnerability Fix

Based on the web page screenshot, the following are the key details regarding this vulnerability: Vulnerability ID and CVE Number: - Bug ID: 1758171 - CVE Number: CVE-2019-14892 Vulnerability Status: - Status: CLOSED ERRATA Affected Component and Fixed Versions: - Component: jackson-databind - Fixed in versions: jackson-databind 2.9.10, jackson-databind 2.6.7.3 Detailed Description and Upstream Information: - Description: A vulnerability was discovered in jackson-databind. New serialization gadgets were found, which could facilitate exploitation of deserialization issues. - Upstream Issue Link: https://github.com/FasterXML/jackson-databind/issues/2462 - Upstream Fix Link: https://github.com/FasterXML/jackson-databind/commit/41b7f9b90149e9d44a65a8261a8deedc7186f6af - Reference Link: https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 Affected Products: - Includes but is not limited to: - Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6, 7, 8 - Red Hat Single Sign-On - Red Hat Process Automation - Red Hat Decision Manager - Red Hat OpenShift Application Runtimes - etc. Excluded Security Concerns: - For specific Red Hat JBoss product lines, this vulnerability falls outside the scope of security support, such as Red Hat JBoss BPM Suite 6 and Red Hat JBoss Data Virtualization & Services 6. For more details, refer to: https://access.redhat.com/support/policy/updates/jboss_notes Updates and Fixes: - This vulnerability has been addressed via multiple RHSA advisories, including RHSA-2020:0164, RHSA-2020:0159, RHSA-2020:0160, etc. - The vulnerability is now closed; future product-specific updates will be documented on the CVE page: https://access.redhat.com/security/cve/cve-2019-14892 Additional Comments and Further Information: - Certain specific products (e.g., Red Hat Data Grid, Red Hat Satellite) are unaffected or not impacted in a related manner; further details are discussed in individual comments. For example, Red Hat ActiveMQ Artemis 2.12.0 does not require a fix for this vulnerability. - Future version updates may address dependencies on jackson-databind that currently do not require immediate upgrades. - Potential impacts on other systems should be evaluated based on actual environments and handled according to vendor recommendations. The above information is extracted from the detailed description and comments in the Bugzilla report. Please note that reading the complete documentation and official advisories is recommended for the most comprehensive understanding.

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2019-14892: jackson-databind Deserialization Vulnerability Fix