November 30, 2022

TheCyberThrone

Thinking Security ! Always

IBM patches Vulnerabilities in Jackson-Data bind

IBM has fixed 57 vulnerabilities in its Process Mining software, used by enterprises to conduct workflow analysis.

The vulnerabilities were inherited from a third-party package, FasterXML jackson-databind, which allows JSON content to be read into Java Objects and JSON Trees.

The vulnerabilities were reported between 2018 and 2020, and some were patched by Oracle back in 2019. There are 38 vulnerabilities that carry a Common Vulnerabilities Scoring System (CVSS) score of 9.8, and IBM reports there are no known workarounds.

Advertisements

Most of the most severe bugs relate to serialization errors, most often an unsafe deserialization between gadgets and typing affecting various components of the software.

There are also polymorphic typing issues and deserialization issues within components of the software. The vulnerabilities allow attackers to send crafted inputs to the system for arbitrary code execution.

Users of IBM Process Mining need to upgrade to version 1.12.0.4.

CVE ID
   CVE-2020-36182
   CVE-2020-8840
   CVE-2020-14195
   CVE-2019-16943
   CVE-2019-14540
   CVE-2019-10202
   CVE-2020-25649
   CVE-2019-14893
   CVE-2020-11619
   CVE-2020-14061
   CVE-2020-11113
   CVE-2019-12814
   CVE-2020-36189
   CVE-2020-36181
   CVE-2018-14719
   CVE-2020-9547
   CVE-2020-36184
   CVE-2020-36183
   CVE-2019-12384
   CVE-2020-10673
   CVE-2019-16942
   CVE-2018-19360
   CVE-2020-10968
   CVE-2018-14720
   CVE-2020-14062
   CVE-2019-16335
   CVE-2020-14060
   CVE-2020-36179
   CVE-2020-11620
   CVE-2019-20330
   CVE-2020-9546
   CVE-2020-35491
   CVE-2020-35490
   CVE-2020-36186
   CVE-2020-11111
   CVE-2018-19361
   CVE-2019-14439
   CVE-2019-17531
   CVE-2020-24616
   CVE-2020-10672
   CVE-2020-36188
   CVE-2020-9548
   CVE-2020-10969
   CVE-2019-14892
   CVE-2020-36185
   CVE-2020-36187
   CVE-2019-12086
   CVE-2021-20190
   CVE-2018-19362
   CVE-2019-17267
   CVE-2020-11112
   CVE-2018-14721
   CVE-2020-24750
   CVE-2020-36180
   CVE-2018-14718
   CVE-2019-14379
   CVE-2020-35728
%d bloggers like this: