ID

VAR-202203-1400

CVE

CVE-2020-36518

TITLE

FasterXML jackson-databind Buffer error vulnerability

DESCRIPTION

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Bugs fixed (https://bugzilla.redhat.com/): 1923181 - CVE-2021-22132 elasticsearch: executing async search improperly stores HTTP headers leading to information disclosure 1925237 - CVE-2020-9492 hadoop: WebHDFS client might send SPNEGO authorization header 1934116 - CVE-2020-27223 jetty: request containing multiple Accept headers with a large number of "quality" parameters may lead to DoS 1935927 - CVE-2021-20289 resteasy: Error message exposes endpoint class information 1943189 - CVE-2021-22137 elasticsearch: Document disclosure flaw when Document or Field Level Security is used 1945710 - CVE-2021-28163 jetty: Symlink directory exposes webapp directory contents 1945712 - CVE-2021-28164 jetty: Ambiguous paths can access WEB-INF 1945714 - CVE-2021-28165 jetty: Resource exhaustion when receiving an invalid large TLS frame 1954559 - CVE-2021-3520 lz4: memory corruption due to an integer overflow bug caused by memmove argument 1977362 - CVE-2021-3629 undertow: potential security issue in flow control over HTTP/2 may lead to DOS 1995259 - CVE-2021-37714 jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck 2009041 - CVE-2021-38153 Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients 2011190 - CVE-2021-40690 xml-security: XPath Transform abuse allows for information disclosure 2020583 - CVE-2021-2471 mysql-connector-java: unauthorized access to critical 2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects 5. Bugs fixed (https://bugzilla.redhat.com/): 2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects 2080850 - CVE-2022-25647 com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson 2087186 - CVE-2022-24823 netty: world readable temporary file containing sensitive data 2130018 - CVE-2022-34917 Kafka: Unauthenticated clients may cause OutOfMemoryError on brokers 5. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Single Sign-On 7.5.3 security update on RHEL 8 Advisory ID: RHSA-2022:6783-01 Product: Red Hat Single Sign-On Advisory URL: https://access.redhat.com/errata/RHSA-2022:6783 Issue date: 2022-10-04 CVE Names: CVE-2020-36518 CVE-2021-42392 CVE-2021-43797 CVE-2022-0084 CVE-2022-0225 CVE-2022-0866 CVE-2022-2256 CVE-2022-2668 ==================================================================== 1. Summary: New Red Hat Single Sign-On 7.5.3 packages are now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Single Sign-On 7.5 for RHEL 8 - noarch 3. Description: Red Hat Single Sign-On 7.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.5.3 on RHEL 8 serves as a replacement for Red Hat Single Sign-On 7.5.2, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518) * wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled (CVE-2022-0866) * xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr (CVE-2022-0084) * netty: control chars in header names may lead to HTTP request smuggling (CVE-2021-43797) * keycloak-saml-core: keycloak: Uploading of SAML javascript protocol mapper scripts through the admin (CVE-2022-2668) * keycloak: Stored XSS in groups dropdown (CVE-2022-0225) * h2: Remote Code Execution in Console (CVE-2021-42392) * keycloak-core: keycloak: improper input validation permits script injection (CVE-2022-2256) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling 2039403 - CVE-2021-42392 h2: Remote Code Execution in Console 2040268 - CVE-2022-0225 keycloak: Stored XSS in groups dropdown 2060929 - CVE-2022-0866 wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled 2064226 - CVE-2022-0084 xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr 2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects 2101942 - CVE-2022-2256 keycloak: improper input validation permits script injection 2115392 - CVE-2022-2668 keycloak: Uploading of SAML javascript protocol mapper scripts through the admin console 6. Package List: Red Hat Single Sign-On 7.5 for RHEL 8: Source: rh-sso7-keycloak-15.0.8-1.redhat_00001.1.el8sso.src.rpm noarch: rh-sso7-keycloak-15.0.8-1.redhat_00001.1.el8sso.noarch.rpm rh-sso7-keycloak-server-15.0.8-1.redhat_00001.1.el8sso.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-36518 https://access.redhat.com/security/cve/CVE-2021-42392 https://access.redhat.com/security/cve/CVE-2021-43797 https://access.redhat.com/security/cve/CVE-2022-0084 https://access.redhat.com/security/cve/CVE-2022-0225 https://access.redhat.com/security/cve/CVE-2022-0866 https://access.redhat.com/security/cve/CVE-2022-2256 https://access.redhat.com/security/cve/CVE-2022-2668 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYzyeANzjgjWX9erEAQhCRg/+IuWTeQvj8+RD0Zjo8ZTH/9llbxcvQBDF cn1CNOsXm897g4Jy/Guf8dnS7LRGifdhQVfSiasRXVqityHTyYkvDuHka8UBos/O 5umRRldNbmBBgLheak6RHIee6dOSry5YfS2zXM3TCCV8oQjHlb5xAKWn6gk0dXZX kpQWsi+GrZ0us1gRon758z7/JUsQJZMcSK21jzcxGIl7+ZuqMocctWYjkCJlLCLa xec+/NGsXllUpJPigJKxZmRlZIkjqJrAmhRRPj6kgAlOl3xPIST7pYtR0ae8BIi5 F/wLPEQGt/QCJMO5Ur6NfBUhUHmAlJzUiDiPqDpKLI/JTbeqcvqC/KPJrdIzmJGt zqUudFQ1pBvsvuvbWdurqGdSfU9GbeFWK8mg2uU2QnUub9GLmrFr8Ahlo0LTsxyg qVzjG0YuiviOzvONYejqcpMEnxfK6r/CYqvOr0xtcRnemjHSXC45dUUz9gmBmFXu XhZdNgkgGcxlapnm8PamHZRPMEhtRDiJRKciy2tH523qMGncRM4AP3MT38cgiwci MiXyPLK2jtwtqRD0vt+paXVuuuk3CcE+WR6SpehAXNTFbutkhJ5CkfjpRNW34zAD aA/zBjMCIOV8F9WxI2JjnZTK/7bXFnU1GZbh/zY+zZVutaD/25IiRKxPCuj0eRze m5lmf2XsIDo=laLp -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Solution: For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly, for detailed release notes: https://docs.openshift.com/container-platform/4.9/logging/cluster-logging-release-notes.html For Red Hat OpenShift Logging 5.3, see the following instructions to apply this update: https://docs.openshift.com/container-platform/4.9/logging/cluster-logging-upgrading.html 4. JIRA issues fixed (https://issues.jboss.org/): LOG-3293 - log-file-metric-exporter container has not limits exhausting the resources of the node 6. Description: Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. Security Fix(es): * scala: deserialization gadget chain (CVE-2022-36944) * json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370) * jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518) * okhttp: information disclosure via improperly used cryptographic function (CVE-2021-0341) * netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data (CVE-2021-37136) * netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137) * jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877) * netty: world readable temporary file containing sensitive data (CVE-2022-24823) * jettison: parser crash by stackoverflow (CVE-2022-40149) * jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003) * jackson-databind: use of deeply nested arrays (CVE-2022-42004) * Red Hat A-MQ Streams: component version with information disclosure flaw (CVE-2023-0833) * jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link (you must log in to download the update). Bugs fixed (https://bugzilla.redhat.com/): 2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data 2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way 2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects 2087186 - CVE-2022-24823 netty: world readable temporary file containing sensitive data 2129809 - CVE-2022-36944 scala: deserialization gadget chain 2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS 2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays 2135770 - CVE-2022-40150 jettison: memory exhaustion via user-supplied XML or JSON data 2135771 - CVE-2022-40149 jettison: parser crash by stackoverflow 2154086 - CVE-2021-0341 okhttp: information disclosure via improperly used cryptographic function 2169845 - CVE-2023-0833 Red Hat A-MQ Streams: component version with information disclosure flaw 2185707 - CVE-2021-46877 jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode 2188542 - CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) 5. JIRA issues fixed (https://issues.jboss.org/): ENTMQST-4107 - [KAFKA] MM2 connector task stopped and didn?t result in failed state ENTMQST-4541 - [PROD] Create RHSA erratum for Streams 2.4.0 6

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

buffer error

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Red Hat

SOURCES

LAST UPDATE DATE

2026-06-19T20:38:04.854000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE