Описание
Security update for jackson-databind
This update for jackson-databind fixes the following issues:
Update to version 2.13.4.2:
- CVE-2022-42003: Fixed missing check in primitive value deserializers to avoid deep wrapper array nesting wrt 'UNWRAP_SINGLE_VALUE_ARRAYS' (bsc#1204370).
- CVE-2022-42004: Fixed missing check in 'BeanDeserializer._deserializeFromArray()' to prevent use of deeply nested arrays (bsc#1204369).
Список пакетов
Container suse/manager/5.0/x86_64/server-attestation:latest
jackson-databind-2.13.4.2-150200.3.12.1
Container suse/manager/5.0/x86_64/server:latest
jackson-databind-2.13.4.2-150200.3.12.1
Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure
jackson-databind-2.13.4.2-150200.3.12.1
Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM
jackson-databind-2.13.4.2-150200.3.12.1
Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE
jackson-databind-2.13.4.2-150200.3.12.1
Image SLES15-SP4-Manager-Server-4-3
jackson-databind-2.13.4.2-150200.3.12.1
Image SLES15-SP4-Manager-Server-4-3-Azure-llc
jackson-databind-2.13.4.2-150200.3.12.1
Image SLES15-SP4-Manager-Server-4-3-Azure-ltd
jackson-databind-2.13.4.2-150200.3.12.1
Image SLES15-SP4-Manager-Server-4-3-BYOS
jackson-databind-2.13.4.2-150200.3.12.1
Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure
jackson-databind-2.13.4.2-150200.3.12.1
Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2
jackson-databind-2.13.4.2-150200.3.12.1
Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE
jackson-databind-2.13.4.2-150200.3.12.1
Image SLES15-SP4-Manager-Server-4-3-EC2-llc
jackson-databind-2.13.4.2-150200.3.12.1
Image SLES15-SP4-Manager-Server-4-3-EC2-ltd
jackson-databind-2.13.4.2-150200.3.12.1
Image server-attestation-image
jackson-databind-2.13.4.2-150200.3.12.1
Image server-image
jackson-databind-2.13.4.2-150200.3.12.1
SUSE Enterprise Storage 7
jackson-databind-2.13.4.2-150200.3.12.1
SUSE Linux Enterprise High Performance Computing 15 SP2-ESPOS
jackson-databind-2.13.4.2-150200.3.12.1
SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS
jackson-databind-2.13.4.2-150200.3.12.1
SUSE Linux Enterprise Module for Basesystem 15 SP3
jackson-databind-2.13.4.2-150200.3.12.1
jackson-databind-javadoc-2.13.4.2-150200.3.12.1
SUSE Linux Enterprise Module for Basesystem 15 SP4
jackson-databind-2.13.4.2-150200.3.12.1
SUSE Linux Enterprise Module for Development Tools 15 SP3
jackson-databind-2.13.4.2-150200.3.12.1
SUSE Linux Enterprise Server 15 SP2-BCL
jackson-databind-2.13.4.2-150200.3.12.1
SUSE Linux Enterprise Server 15 SP2-LTSS
jackson-databind-2.13.4.2-150200.3.12.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2
jackson-databind-2.13.4.2-150200.3.12.1
SUSE Manager Proxy 4.1
jackson-databind-2.13.4.2-150200.3.12.1
SUSE Manager Retail Branch Server 4.1
jackson-databind-2.13.4.2-150200.3.12.1
SUSE Manager Server 4.1
jackson-databind-2.13.4.2-150200.3.12.1
SUSE Manager Server Module 4.3
jackson-databind-2.13.4.2-150200.3.12.1
openSUSE Leap 15.3
jackson-databind-2.13.4.2-150200.3.12.1
jackson-databind-javadoc-2.13.4.2-150200.3.12.1
openSUSE Leap 15.4
jackson-databind-2.13.4.2-150200.3.12.1
jackson-databind-javadoc-2.13.4.2-150200.3.12.1
Ссылки
- Link for SUSE-SU-2022:3995-1
- E-Mail link for SUSE-SU-2022:3995-1
- SUSE Security Ratings
- SUSE Bug 1204369
- SUSE Bug 1204370
- SUSE CVE CVE-2022-42003 page
- SUSE CVE CVE-2022-42004 page
Описание
In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
Затронутые продукты
Container suse/manager/5.0/x86_64/server-attestation:latest:jackson-databind-2.13.4.2-150200.3.12.1
Container suse/manager/5.0/x86_64/server:latest:jackson-databind-2.13.4.2-150200.3.12.1
Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure:jackson-databind-2.13.4.2-150200.3.12.1
Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM:jackson-databind-2.13.4.2-150200.3.12.1
Ссылки
- CVE-2022-42003
Описание
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
Затронутые продукты
Container suse/manager/5.0/x86_64/server-attestation:latest:jackson-databind-2.13.4.2-150200.3.12.1
Container suse/manager/5.0/x86_64/server:latest:jackson-databind-2.13.4.2-150200.3.12.1
Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure:jackson-databind-2.13.4.2-150200.3.12.1
Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM:jackson-databind-2.13.4.2-150200.3.12.1
Ссылки
- CVE-2022-42004
- SUSE Bug 1204369