Lucene search

HistoryOct 01, 2019 - 4:24 p.m.

Security Bulletin: Vulnerabilities in FasterXML Jackson libraries affect IBM Cúram Social Program Management (CVE-2019-14439, CVE-2019-14379, CVE-2019-12814, CVE-2019-12086)


0.015 Low





IBM Cúram Social Program Management uses the FasterXML Jackson libraries, for which there are four publicly known vulnerabilities. Three of the vulnerabilities, which are caused by various polymorphic typing issues, could enable a remote attacker to obtain sensitive information. The fourth vulnerability, which is caused by a flaw in the, could enable a remote attacker to execute arbitrary code on the system.

Vulnerability Details

CVE-ID: CVE-2019-14439
Description: FasterXML jackson-databind could enable a remote attacker to obtain sensitive information, where the vulnerability is caused by a polymorphic typing issue when Default Typing is enabled. A remote attacker could exploit the vulnerability to obtain sensitive information.
CVSS Base Score: 5.3
CVSS Temporal Score: <; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVE-ID: CVE-2019-14379
Description: FasterXML jackson-databind could enable a remote attacker to execute arbitrary code on the system, where the vulnerability is caused by a flaw in the An attacker could exploit the vulnerability to execute arbitrary code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: <; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVE-ID: CVE-2019-12814

Description: FasterXML jackson-databind could enable a remote attacker to obtain sensitive information, where the vulnerability is caused by a polymorphic typing issue. By sending a specially-crafted JSON message, an attacker could exploit the vulnerability to read arbitrary local files on the server.
CVSS Base Score: 7.5
CVSS Temporal Score: <; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVE-ID: CVE-2019-12086
Description: FasterXML jackson-databind could enable a remote attacker to obtain sensitive information, where the vulnerability is caused by a Polymorphic Typing issue that occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation. By sending a specially-crafted JSON message, a remote attacker could exploit the vulnerability to read arbitrary local files on the server.
CVSS Base Score: 5.3
CVSS Temporal Score: <; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

IBM Cúram Social Program Management -

IBM Cúram Social Program Management -


Product VRMF Remediation/First Fix
Cúram SPM


| Visit IBM Fix Central and upgrade to 7.0.8 or a subsequent 7.0.8 release.
Cúram SPM |


| Visit IBM Fix Central and upgrade to or a subsequent 7.0.4 release.

Workarounds and Mitigations

For information about all other versions, contact IBM Cúram Social Program Management customer support.