FasterXML jackson-databind 代码问题漏洞

CNNVD-ID编号	CNNVD-202002-354
CVE编号	CVE-2020-8840
发布时间	2020-02-10
更新时间	2020-10-29
漏洞类型	代码问题
漏洞来源	N/A
危险等级	超危
威胁类型	远程
厂商	N/A

漏洞介绍

FasterXML Jackson是美国FasterXML公司的一款适用于Java的数据处理工具。jackson-databind是其中的一个具有数据绑定功能的组件。

FasterXML jackson-databind 2.0.0版本至2.9.10.2版本中存在代码问题漏洞，该漏洞源于程序缺少xbean-reflect/JNDI黑名单类。攻击者可利用该漏洞执行代码。

漏洞补丁

目前厂商已发布升级了FasterXML jackson-databind 代码问题漏洞的补丁，FasterXML jackson-databind 代码问题漏洞的补丁获取链接：

https://github.com/FasterXML/jackson-databind/issues/2620

参考网址

来源:MLIST

链接：https://lists.apache.org/thread.html/r3d20a2660b36551fd8257d479941782af4a7169582449fac1704bde2@%3Ccommits.druid.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/r65ee95fa09c831843bac81eaa582fdddc2b6119912a72d1c83a9b882@%3Cissues.zookeeper.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/r46bebdeb59b8b7212d63a010ca445a9f5c4e9d64dcf693cab6f399d3@%3Ccommits.zookeeper.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/rac5ee5d686818be7e7c430d35108ee01a88aae54f832d32f62431fd1@%3Cnotifications.zookeeper.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/r9e59ebaf76fd00b2fa3ff5ebf18fe075ca9f4376216612c696f76718@%3Cdev.ranger.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/r7e5c10534ed06bf805473ac85e8412fe3908a8fa4cabf5027bf11220@%3Cdev.kafka.apache.org%3E
来源:N/A

链接：https://www.oracle.com/security-alerts/cpuapr2020.html
来源:MLIST

链接：https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/re7326b8655eab931f2a9ce074fd9a1a51b5db11456bee9b48e1e170c@%3Cissues.zookeeper.apache.org%3E
来源:CONFIRM

链接：https://security.netapp.com/advisory/ntap-20200327-0002/
来源:MLIST

链接：https://lists.apache.org/thread.html/r446646c5588b10f5e02409ad580b12f314869009cdfbf844ca395cec@%3Cdev.ranger.apache.org%3E
来源:MISC

链接：https://www.oracle.com/security-alerts/cpuoct2020.html
来源:MLIST

链接：https://lists.apache.org/thread.html/rb5eedf90ba3633e171a2ffdfe484651c9490dc5df74c8a29244cbc0e@%3Ccommits.zookeeper.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/r1c09b9551f6953dbeca190a4c4b78198cdbb9825fce36f96fe3d8218@%3Cdev.tomee.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/r5d8bea8e9d17b6efcf4a0e4e194e91ef46a99f505777a31a60da2b38@%3Cdev.ranger.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/r078e68a926ea6be12e8404e47f45aabf04bb4668e8265c0de41db6db@%3Ccommits.druid.apache.org%3E
来源:MISC

链接：https://github.com/FasterXML/jackson-databind/issues/2620
来源:MLIST

链接：https://lists.apache.org/thread.html/r319f19c74e06c201b9d4e8b282a4e4b2da6dcda022fb46f007dd00d3@%3Ccommits.druid.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/rc068e824654c4b8bd4f2490bec869e29edbfcd5dfe02d47cbf7433b2@%3Cdev.tomee.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/rfc1ccfe89332155b72ce17f13a2701d3e7b9ec213324ceb90e79a28a@%3Cdev.ranger.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/r94930e39b60fff236160c1c4110fe884dc093044b067aa5fc98d7ee1@%3Cdev.ranger.apache.org%3E
来源:MLIST

链接：https://lists.debian.org/debian-lts-announce/2020/02/msg00020.html
来源:MLIST

链接：https://lists.apache.org/thread.html/rf28ab6f224b48452afd567dfffb705fbda0fdbbf6535f6bc69d47e91@%3Cdev.ranger.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/r1efc776fc6ce3387593deaa94bbdd296733b1b01408a39c8d1ab9e0e@%3Cdev.ranger.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/r8e96c340004b7898cad3204ea51280ef6e4b553a684e1452bf1b18b1@%3Cjira.kafka.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/r6fdd4c61a09a0c89f581b4ddb3dc6f154ab0c705fcfd0a7358b2e4e5@%3Cissues.zookeeper.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/rb43f9a65150948a6bebd3cb77ee3e105d40db2820fd547528f4e7f89@%3Cissues.zookeeper.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/r428d068b2a4923f1a5a4f5fc6381b95205cfe7620169d16db78e9c71@%3Cnotifications.zookeeper.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/rc717fd6c65190f4e592345713f9ef0723fb7d71f624caa2a17caa26a@%3Cdev.ranger.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/r7762d69e85c58d6948823424017ef4c08f47de077644277fa18cc116@%3Cdev.ranger.apache.org%3E
来源:CONFIRM

链接：https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200610-01-fastjason-en
来源:MLIST

链接：https://lists.apache.org/thread.html/r3539bd3a377991217d724879d239e16e86001c54160076408574e1da@%3Cnotifications.zookeeper.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/rdf8d389271a291dde3b2f99c36918d6cb1e796958af626cc140fee23@%3Ccommits.zookeeper.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/r2fa8046bd47fb407ca09b5107a80fa6147ba4ebe879caae5c98b7657@%3Cdev.ranger.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/rb73708bf714ed6dbc1212da082e7703e586077f0c92f3940b2e82caf@%3Cdev.ranger.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/ra275f29615f35d5b40106d1582a41e5388b2a5131564e9e01a572987@%3Cdev.ranger.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/rb99c7321eba5d4c907beec46675d52827528b738cfafd48eb4d862f1@%3Cdev.tomee.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/re8ae2670ec456ef1c5a2a661a2838ab2cd00e9efa1e88c069f546f21@%3Ccommits.zookeeper.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/rdea588d4a0ebf9cb7ce8c3a8f18d0d306507c4f8ba178dd3d20207b8@%3Cdev.tomee.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/r9ecf211c22760b00967ebe158c6ed7dba9142078e2a630ab8904a5b7@%3Cdev.zookeeper.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/r8170007fd9b263d65b37d92a7b5d7bc357aedbb113a32838bc4a9485@%3Cissues.zookeeper.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/rcc72b497e3dff2dc62ec9b89ceb90bc4e1b14fc56c3c252a6fcbb013@%3Cdev.ranger.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/rdf311f13e6356297e0ffe74397fdd25a3687b0a16e687c3ff5b834d8@%3Cdev.ranger.apache.org%3E
来源:www.ibm.com

链接：https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-in-jackson-databind-affect-ibm-sterling-b2b-integrator/
来源:www.ibm.com

链接：https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-fasterxml-jackson-databind-affect-ibm-spectrum-protect-plus-cve-2020-9548-cve-2020-9546-cve-2020-9547-cve-2020-8840-cve-2019-20330/
来源:www.ibm.com

链接：https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-affected-by-jackson-databind-vulnerability-cve-2020-8840/
来源:www.huawei.com

链接：https://www.huawei.com/cn/psirt/security-advisories/huawei-sa-20200722-01-json-cn
来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.3703/
来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.2287/
来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.2588/
来源:www.ibm.com

链接：https://www.ibm.com/blogs/psirt/security-bulletin-jackson-databind-publicly-disclosed-vulnerability-found-in-network-performance-insight-cve-2020-8840/
来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.2619/
来源:www.ibm.com

链接：https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-risk-manager-is-affected-by-multiple-vulnerabilities/
来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.1766/
来源:vigilance.fr

链接：https://vigilance.fr/vulnerability/FasterXML-jackson-databind-privilege-escalation-via-xbean-reflect-JNDI-31653
来源:nvd.nist.gov

链接：https://nvd.nist.gov/vuln/detail/CVE-2020-8840
来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.2050/
来源:www.ibm.com

链接：https://www.ibm.com/blogs/psirt/security-bulletin-potential-vulnerability-with-fasterxml-jackson-databind/
来源:packetstormsecurity.com

链接：https://packetstormsecurity.com/files/158048/Red-Hat-Security-Advisory-2020-2512-01.html
来源:www.ibm.com

链接：https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-jackson-databind-affects-ibm-operations-analytics-predictive-insights-cve-2020-8840/
来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.2042/
来源:www.nsfocus.net

链接：http://www.nsfocus.net/vulndb/45929
来源:packetstormsecurity.com

链接：https://packetstormsecurity.com/files/158282/Red-Hat-Security-Advisory-2020-2813-01.html
来源:packetstormsecurity.com

链接：https://packetstormsecurity.com/files/159208/Red-Hat-Security-Advisory-2020-3779-01.html
来源:www.ibm.com

链接：https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-open-source-jackson-databind-used-in-ibm-cloud-pak-system-cve-2020-8840/
来源:www.ibm.com

链接：https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-workspace-is-affected-by-security-vulnerabilities/
来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.3190/
来源:www.nsfocus.net

链接：http://www.nsfocus.net/vulndb/48472
来源:www.ibm.com

链接：https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affects-ibm-jazz-foundation-and-ibm-engineering-products/
来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.1440/
来源:packetstormsecurity.com

链接：https://packetstormsecurity.com/files/159724/Red-Hat-Security-Advisory-2020-4366-01.html
来源:packetstormsecurity.com

链接：https://packetstormsecurity.com/files/159083/Red-Hat-Security-Advisory-2020-3642-01.html

受影响实体

暂无

信息来源

http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-202002-354