Security Bulletin: IBM Cloud Private is vulnerable to FasterXML jackson-databind vulnerabilities (CVE-2021-20190)

2022-02-0717:38:22

www.ibm.com

0.004 Low

EPSS

Percentile

74.7%

JSON

Summary

IBM Cloud Private is vulnerable to FasterXML jackson-databind vulnerabilities

Vulnerability Details

CVEID:CVE-2021-20190
**DESCRIPTION:**FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to a class(es) of JDK Swing. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/195243 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Cloud Private	3.1.0
IBM Cloud Private	3.1.1
IBM Cloud Private	3.1.2
IBM Cloud Private	3.2.0
IBM Cloud Private	3.2.1 CD
IBM Cloud Private	3.2.2 CD

Remediation/Fixes

Product defect fixes and security updates are only available for the two most recent Continuous Delivery (CD) update packages

IBM Cloud Private 3.2.1
IBM Cloud Private 3.2.2

For IBM Cloud Private 3.2.1, apply fix pack:

IBM Cloud Private 3.2.1.2105

For IBM Cloud Private 3.2.2, apply fix pack:

IBM Cloud Private 3.2.2.2105

For IBM Cloud Private 3.1.0, 3.1.1, 3.1.2, 3.2.0:

Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud Private 3.2.2.
If required, individual product fixes can be made available between CD update packages for resolution of problems. Contact IBM support for assistance

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm cloud privateeq3.1.0
ibm cloud privateeq3.1.1
ibm cloud privateeq3.1.2
ibm cloud privateeq3.2.0
ibm cloud privateeq3.2.1
ibm cloud privateeq3.2.2