RHSA-2020:1644: Red Hat Security Advisory: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update

An update for the pki-core:10.6 and pki-deps:10.6 modules is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The Public Key Infrastructure (PKI) Core contains fundamental packages required by Red Hat Certificate System. Security Fix(es):

• jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig (CVE-2019-14540)
• jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource (CVE-2019-16335)
• jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.* (CVE-2019-16942)
• jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource (CVE-2019-16943)
• jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.* (CVE-2019-17531) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.2 Release Notes linked from the References section. Related CVEs:
• CVE-2019-14540: jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig
• CVE-2019-16335: jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource
• CVE-2019-16942: jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.*
• CVE-2019-16943: jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource
• CVE-2019-17531: jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.*
• CVE-2019-20330: jackson-databind: lacks certain net.sf.ehcache blocking
• CVE-2020-8840: jackson-databind: Lacks certain xbean-reflect/JNDI blocking
• CVE-2020-9546: jackson-databind: Serialization gadgets in shaded-hikari-config
• CVE-2020-9547: jackson-databind: Serialization gadgets in ibatis-sqlmap
• CVE-2020-9548: jackson-databind: Serialization gadgets in anteros-core
• CVE-2020-10672: jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution
• CVE-2020-10673: jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution