search cancel

Broadcom API Portal - CVE-2020-8840 jackson-databind vulnerability

book

Article ID: 244083

calendar_today

Updated On:

Products

CA API Developer Portal

Issue/Introduction

CVE-2020-8840 affects jackson-databind library versions 2.0.0 through 2.9.10.2.

API Portal 4.5.x uses:
jackson-databind 2.2.4
jackson-databind 2.8.3
jackson-databind 2.8.8
jackson-databind 2.9.4

API Portal 5.0.x uses:
jackson-databind-2.9.9.3
jackson-databind-2.10.1

Are both Portal versions impacted?

Environment

API Portal

Cause

A flaw was found in FasterXML jackson-databind a "gadget" exploit is possible due to a lack of a Java object being blocking from being deserialized. FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. 

Resolution

API Portal 5.1 is packaged with jackson-databind to 2.10.x which is not affected by this vulnerability.

Although the previous version of API Portal may not be directly impacted (vulnerability criteria are not matched for the exploit to be successful), we still recommend upgrading the production Portal to 5.1.x  

Additional Information

Vulnerability Reference : CVE-2020-8840