Описание
Уязвимость компонента DOMDeserializer библиотеки FasterXML jackson-databind связана с неверным ограничением XML-ссылок на внешние объекты. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, проводить XXE-атаки
Вендор
Oracle Corp.
Fedora Project
IBM Corp.
FasterXML, LLC
Apache Software Foundation
АО "НППКТ"
АО «НТЦ ИТ РОСА»
АО «Концерн ВНИИНС»
Наименование ПО
Oracle Communications Messaging Server
Application Testing Suite
Primavera Unifier
Oracle Coherence
Banking Platform
Fedora
Oracle Agile PLM
Oracle Insurance Rules Palette
Oracle Communications Evolved Communications Application Server
Communications Billing and Revenue Management
Oracle SD-WAN Edge
Oracle Communications Services Gatekeeper
Oracle GoldenGate Application Adapters
Oracle Health Sciences Empirica Signal
JD Edwards EnterpriseOne Tools
Oracle Retail Xstore Point of Service
Oracle Communications Unified Inventory Management
Oracle WebCenter Portal
Communications Diameter Signaling Router
Primavera Gateway
Oracle Utilities Framework
Oracle Banking APIs
Blockchain Platform
Commerce
Banking Treasury Management
Banking Virtual Account Management
Communications Instant Messaging Server
Communications Interactive Session Recorder
Communications Pricing Design Center
IBM Security Access Manager
Jackson-databind
IoTDB
Communications Convergent Charging Controller
Communications Network Charging and Control
Oracle Communications Cloud Native Core Unified Data Repository
Insurance Policy Administration
JD Edwards EnterpriseOne Orchestrator
Oracle Retail Service Backbone
Oracle Communications Offline Mediation Controller
Agile Product Lifecycle Management Integration Pack for Oracle E-Business Suite
Oracle Banking Extensibility Workbench
ОСОН ОСнова Оnyx
РОСА ХРОМ
ОС ОН «Стрелец»
Версия ПО
8.1 (Oracle Communications Messaging Server)
13.3.0.1 (Application Testing Suite)
18.8 (Primavera Unifier)
12.2.1.4.0 (Oracle Coherence)
19.12 (Primavera Unifier)
от 17.7 до 17.12 включительно (Primavera Unifier)
2.6.2 (Banking Platform)
32 (Fedora)
2.7.0 (Banking Platform)
2.7.1 (Banking Platform)
2.9.0 (Banking Platform)
9.3.6 (Oracle Agile PLM)
11.0.2 (Oracle Insurance Rules Palette)
8.0.2 (Oracle Communications Messaging Server)
7.1 (Oracle Communications Evolved Communications Application Server)
7.5.0.23.0 (Communications Billing and Revenue Management)
12.0.0.3.0 (Communications Billing and Revenue Management)
14.1.1.0.0 (Oracle Coherence)
9.0 (Oracle SD-WAN Edge)
7.0 (Oracle Communications Services Gatekeeper)
19.1.0.0.0 (Oracle GoldenGate Application Adapters)
9.0 (Oracle Health Sciences Empirica Signal)
20.12 (Primavera Unifier)
2.8.0 (Banking Platform)
до 9.2.5.3 (JD Edwards EnterpriseOne Tools)
16.0.6 (Oracle Retail Xstore Point of Service)
17.0.4 (Oracle Retail Xstore Point of Service)
18.0.3 (Oracle Retail Xstore Point of Service)
19.0.2 (Oracle Retail Xstore Point of Service)
7.4.1 (Oracle Communications Unified Inventory Management)
12.2.1.3.0 (Oracle WebCenter Portal)
12.2.1.4.0 (Oracle WebCenter Portal)
от 8.0.0.0 до 8.5.0.0 включительно (Communications Diameter Signaling Router)
от 17.12.0 до 17.12.11 включительно (Primavera Gateway)
4.4.0.3.0 (Oracle Utilities Framework)
4.4.0.2.0 (Oracle Utilities Framework)
4.4.0.0.0 (Oracle Utilities Framework)
от 18.1 до 18.3 включительно (Oracle Banking APIs)
19.1 (Oracle Banking APIs)
19.2 (Oracle Banking APIs)
20.1 (Oracle Banking APIs)
21.1 (Oracle Banking APIs)
до 21.1.2 (Blockchain Platform)
11.2.0 (Commerce)
от 11.3.0 до 11.3.2 включительно (Commerce)
2.10.0 (Banking Platform)
14.4 (Banking Treasury Management)
14.2.0 (Banking Virtual Account Management)
14.3.0 (Banking Virtual Account Management)
14.5.0 (Banking Virtual Account Management)
10.0.1.5.0 (Communications Instant Messaging Server)
6.3 (Communications Interactive Session Recorder)
6.4 (Communications Interactive Session Recorder)
12.0.0.4.0 (Communications Pricing Design Center)
до 9.0.7.2-ISS-ISAM-IF0003 (IBM Security Access Manager)
от 2.6.0 до 2.6.7.4 (Jackson-databind)
от 2.9.0 до 2.9.10.7 (Jackson-databind)
от 2.10.0 до 2.10.5.1 (Jackson-databind)
до 0.12.0 (IoTDB)
12.0.4.0.0 (Communications Convergent Charging Controller)
12.0.4.0.0 (Communications Network Charging and Control)
1.4.0 (Oracle Communications Cloud Native Core Unified Data Repository)
от 18.8.0 до 18.8.11 включительно (Primavera Gateway)
от 19.12.0 до 19.12.10 включительно (Primavera Gateway)
20.12.0 (Primavera Gateway)
11.0.2 (Insurance Policy Administration)
от 11.1.0 до 11.3.0 включительно (Insurance Policy Administration)
от 11.1.0 до 11.3.0 включительно (Oracle Insurance Rules Palette)
до 9.2.5.3 (JD Edwards EnterpriseOne Orchestrator)
16.0.3.0 (Oracle Retail Service Backbone)
15.0.3.1 (Oracle Retail Service Backbone)
14.1.3.2 (Oracle Retail Service Backbone)
9.1 (Oracle Health Sciences Empirica Signal)
4.3.0.5.0 (Oracle Utilities Framework)
4.3.0.6.0 (Oracle Utilities Framework)
12.0.0.3 (Oracle Communications Offline Mediation Controller)
3.6 (Agile Product Lifecycle Management Integration Pack for Oracle E-Business Suite)
14.2 (Oracle Banking Extensibility Workbench)
14.3 (Oracle Banking Extensibility Workbench)
14.5 (Oracle Banking Extensibility Workbench)
до 2.1 (ОСОН ОСнова Оnyx)
12.4 (РОСА ХРОМ)
до 16.01.2023 (ОС ОН «Стрелец»)
Тип ПО
Прикладное ПО информационных систем
Сетевое программное средство
Операционная система
ПО сетевого программно-аппаратного средства
Программное средство защиты
СУБД
Операционные системы и аппаратные платформы
Fedora Project Fedora 32
АО «НТЦ ИТ РОСА» РОСА ХРОМ 12.4
АО «Концерн ВНИИНС» ОС ОН «Стрелец» до 16.01.2023
Уровень опасности уязвимости
Высокий уровень опасности (базовая оценка CVSS 2.0 составляет 7,8)
Высокий уровень опасности (базовая оценка CVSS 3.0 составляет 7,5)
Возможные меры по устранению уязвимости
Использование рекомендаций:
Для FasterXML jackson-databind:
https://github.com/FasterXML/jackson-databind/issues/2589
Для программных продуктов IBM Corp.:
https://www.ibm.com/support/pages/node/6502211
Для Fedora:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6X2UT4X6M7DLQYBOOHMXBWGYJ65RL2CT/
Для Apache Software Foundation:
https://lists.apache.org/thread.html/r011d1430e8f40dff9550c3bc5d0f48b14c01ba8aecabd91d5e495386@%3Ccommits.turbine.apache.org%3E
https://lists.apache.org/thread.html/r024b7bda9c43c5560d81238748775c5ecfe01b57280f90df1f773949@%3Cissues.hive.apache.org%3E
https://lists.apache.org/thread.html/r04529cedaca40c2ff90af4880493f9c88a8ebf4d1d6c861d23108a5a@%3Cnotifications.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/r0881e23bd9034c8f51fdccdc8f4d085ba985dcd738f8520569ca5c3d@%3Cissues.hive.apache.org%3E
https://lists.apache.org/thread.html/r0b8dc3acd4503e4ecb6fbd6ea7d95f59941168d8452ac0ab1d1d96bb@%3Cissues.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/r1b7ed0c4b6c4301d4dfd6fdbc5581b0a789d3240cab55d766f33c6c6@%3Cjira.kafka.apache.org%3E
https://lists.apache.org/thread.html/r2882fc1f3032cd7be66e28787f04ec6f1874ac68d47e310e30ff7eb1@%3Cjira.kafka.apache.org%3E
https://lists.apache.org/thread.html/r2b6ddb3a4f4cd11d8f6305011e1b7438ba813511f2e3ab3180c7ffda@%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/r2eb66c182853c69ecfb52f63d3dec09495e9b65be829fd889a081ae1@%3Cdev.hive.apache.org%3E
https://lists.apache.org/thread.html/r2f5c5479f99398ef344b7ebd4d90bc3316236c45d0f3bc42090efcd7@%3Cissues.hive.apache.org%3E
https://lists.apache.org/thread.html/r31f4ee7d561d56a0c2c2c6eb1d6ce3e05917ff9654fdbfec05dc2b83@%3Ccommits.servicecomb.apache.org%3E
https://lists.apache.org/thread.html/r3e6ae311842de4e64c5d560a475b7f9cc7e0a9a8649363c6cf7537eb@%3Ccommits.karaf.apache.org%3E
https://lists.apache.org/thread.html/r407538adec3185dd35a05c9a26ae2f74425b15132470cf540f41d85b@%3Cissues.hive.apache.org%3E
https://lists.apache.org/thread.html/r45e7350dfc92bb192f3f88e9971c11ab2be0953cc375be3dda5170bd@%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/r5b130fe668503c4b7e2caf1b16f86b7f2070fd1b7ef8f26195a2ffbd@%3Cissues.hive.apache.org%3E
https://lists.apache.org/thread.html/r5f8a1608d758936bd6bbc5eed980777437b611537bf6fff40663fc71@%3Cjira.kafka.apache.org%3E
https://lists.apache.org/thread.html/r605764e05e201db33b3e9c2e66ff620658f07ad74f296abe483f7042@%3Creviews.iotdb.apache.org%3E
https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E
https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E
https://lists.apache.org/thread.html/r63c87aab97155f3f3cbe11d030c4a184ea0de440ee714977db02e956@%3Cjira.kafka.apache.org%3E
https://lists.apache.org/thread.html/r68d029ee74ab0f3b0569d0c05f5688cb45dd3abe96a6534735252805@%3Cnotifications.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/r6a4f3ef6edfed2e0884269d84798f766779bbbc1005f7884e0800d61@%3Cdev.knox.apache.org%3E
https://lists.apache.org/thread.html/r6a6df5647583541e3cb71c75141008802f7025cee1c430d4ed78f4cc@%3Cissues.hive.apache.org%3E
https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304@%3Cdev.kafka.apache.org%3E
https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304@%3Cusers.kafka.apache.org%3E
https://lists.apache.org/thread.html/r6cbd599b80e787f02ff7a1391d9278a03f37d6a6f4f943f0f01a62fb@%3Creviews.iotdb.apache.org%3E
https://lists.apache.org/thread.html/r6e3d4f7991542119a4ca6330271d7fbf7b9fb3abab24ada82ddf1ee4@%3Cnotifications.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/r73bef1bb601a9f093f915f8075eb49fcca51efade57b817afd5def07@%3Ccommits.iotdb.apache.org%3E
https://lists.apache.org/thread.html/r765283e145049df9b8998f14dcd444345555aae02b1610cfb3188bf8@%3Cnotifications.iotdb.apache.org%3E
https://lists.apache.org/thread.html/r78d53a0a269c18394daf5940105dc8c7f9a2399503c2e78be20abe7e@%3Cjira.kafka.apache.org%3E
https://lists.apache.org/thread.html/r7cb5b4b3e4bd41a8042e5725b7285877a17bcbf07f4eb3f7b316af60@%3Creviews.iotdb.apache.org%3E
https://lists.apache.org/thread.html/r86c78bf7656fdb2dab69cbf17f3d7492300f771025f1a3a65d5e5ce5@%3Ccommits.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/r8764bb835bcb8e311c882ff91dd3949c9824e905e880930be56f6ba3@%3Cuser.spark.apache.org%3E
https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080@%3Cdev.kafka.apache.org%3E
https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080@%3Cusers.kafka.apache.org%3E
https://lists.apache.org/thread.html/r8ae961c80930e2717c75025414ce48a432cea1137c02f648b1fb9524@%3Cissues.hive.apache.org%3E
https://lists.apache.org/thread.html/r900d4408c4189b376d1ec580ea7740ea6f8710dc2f0b7e9c9eeb5ae0@%3Cdev.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/r90d1e97b0a743cf697d89a792a9b669909cc5a1692d1e0083a22e66c@%3Cissues.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/r91722ecfba688b0c565675f8bf380269fde8ec62b54d6161db544c22@%3Ccommits.karaf.apache.org%3E
https://lists.apache.org/thread.html/r94c7e86e546120f157264ba5ba61fd29b3a8d530ed325a9b4fa334d7@%3Ccommits.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/r95a297eb5fd1f2d3a2281f15340e2413f952e9d5503296c3adc7201a@%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/r98bfe3b90ea9408f12c4b447edcb5638703d80bc782430aa0c210a54@%3Cissues.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/ra1157e57a01d25e36b0dc17959ace758fc21ba36746de29ba1d8b130@%3Cjira.kafka.apache.org%3E
https://lists.apache.org/thread.html/ra409f798a1e5a6652b7097429b388650ccd65fd958cee0b6f69bba00@%3Cissues.hive.apache.org%3E
https://lists.apache.org/thread.html/ra95faf968f3463acb3f31a6fbec31453fc5045325f99f396961886d3@%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/raf13235de6df1d47a717199e1ecd700dff3236632f5c9a1488d9845b@%3Cjira.kafka.apache.org%3E
https://lists.apache.org/thread.html/rb674520b9f6c808c1bf263b1369e14048ec3243615f35cfd24e33604@%3Cissues.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E
https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E
https://lists.apache.org/thread.html/rc15e90bbef196a5c6c01659e015249d6c9a73581ca9afb8aeecf00d2@%3Cjira.kafka.apache.org%3E
https://lists.apache.org/thread.html/rc82ff47853289e9cd17f5cfbb053c04cafc75ee32e3d7223963f83bb@%3Cdev.knox.apache.org%3E
https://lists.apache.org/thread.html/rc88f2fa2b7bd6443921727aeee7704a1fb02433e722e2abf677e0d3d@%3Ccommits.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/rc959cdb57c4fe198316130ff4a5ecbf9d680e356032ff2e9f4f05d54@%3Cjira.kafka.apache.org%3E
https://lists.apache.org/thread.html/rd317f15a675d114dbf5b488d27eeb2467b4424356b16116eb18a652d@%3Cjira.kafka.apache.org%3E
https://lists.apache.org/thread.html/rd57c7582adc90e233f23f3727db3df9115b27a823b92374f11453f34@%3Cissues.hive.apache.org%3E
https://lists.apache.org/thread.html/rd6f6bf848c2d47fa4a85c27d011d948778b8f7e58ba495968435a0b3@%3Cissues.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/rdca8711bb7aa5d47a44682606cd0ea3497e2e922f22b7ee83e81e6c1@%3Cissues.hive.apache.org%3E
https://lists.apache.org/thread.html/rdf9a34726482222c90d50ae1b9847881de67dde8cfde4999633d2cdc@%3Ccommits.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/re16f81d3ad49a93dd2f0cba9f8fc88e5fb89f30bf9a2ad7b6f3e69c1@%3Ccommits.karaf.apache.org%3E
https://lists.apache.org/thread.html/re96dc7a13e13e56190a5d80f9e5440a0d0c83aeec6467b562fbf2dca@%3Cjira.kafka.apache.org%3E
https://lists.apache.org/thread.html/rf1809a1374041a969d77afab21fc38925de066bc97e86157d3ac3402@%3Ccommits.karaf.apache.org%3E
Для программных продуктов Oracle Corp.:
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html
Для ОСОН Основа:
Обновление программного обеспечения jackson-databind до версии 2.9.8-3+deb10u3
Для ОС ОН «Стрелец»:
Обновление программного обеспечения jackson-databind до версии 2.8.6-1+deb9u10
Для операционной системы РОСА ХРОМ: https://abf.rosa.ru/advisories/ROSA-SA-2025-2629
Статус уязвимости
Подтверждена производителем
Наличие эксплойта
Существует
Информация об устранении
Уязвимость устранена
Ссылки на источники
Идентификаторы других систем описаний уязвимостей
- CVE
EPSS
Процентиль: 1%
0.00011
Низкий
7.5 High
CVSS3
7.8 High
CVSS2
Связанные уязвимости
CVSS3: 7.5
ubuntu
больше 4 лет назад
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
CVSS3: 7.5
redhat
больше 5 лет назад
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
CVSS3: 7.5
nvd
больше 4 лет назад
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
CVSS3: 7.5
debian
больше 4 лет назад
A flaw was found in FasterXML Jackson Databind, where it did not have ...
EPSS
Процентиль: 1%
0.00011
Низкий
7.5 High
CVSS3
7.8 High
CVSS2