CVE-2020-9546

Name of the Vulnerable Software and Affected Versions FasterXML jackson-databind versions 2.x before 2.9.10.4 oracle weblogic server (affected versions not specified) oracle retail xstore point of service (affected versions not specified) oracle retail service backbone (affected versions not specified) oracle retail sales audit (affected versions not specified) oracle retail merchandising system (affected versions not specified) oracle primavera unifier (affected versions not specified) oracle jd edwards enterpriseone tools (affected versions not specified) oracle jd edwards enterpriseone orchestrator (affected versions not specified) oracle insurance policy administration j2ee (affected versions not specified) oracle global lifecycle management opatch (affected versions not specified) oracle financial services retail customer analytics (affected versions not specified) oracle financial services price creation and discovery (affected versions not specified) oracle financial services institutional performance analytics (affected versions not specified) oracle financial services analytical applications infrastructure (affected versions not specified) oracle enterprise manager base platform (affected versions not specified) oracle communications session route manager (affected versions not specified) oracle communications session report manager (affected versions not specified) oracle communications network charging and control (affected versions not specified) oracle communications instant messaging server (affected versions not specified) oracle communications evolved communications application server (affected versions not specified) oracle communications element manager (affected versions not specified) oracle communications diameter signaling router (affected versions not specified) oracle communications contacts server (affected versions not specified) oracle communications calendar server (affected versions not specified) oracle banking platform (affected versions not specified) oracle banking digital experience (affected versions not specified) oracle autovue for agile product lifecycle management (affected versions not specified) oracle agile plm (affected versions not specified) netapp active iq unified manager (affected versions not specified) debian debian linux (affected versions not specified)

Description The issue is related to the interaction between serialization gadgets and typing in the FasterXML jackson-databind library, specifically with the org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig component. This can lead to a denial-of-service condition when exploited by a remote attacker.

Recommendations For FasterXML jackson-databind versions 2.x before 2.9.10.4, update to version 2.9.10.4 or later. For oracle weblogic server, oracle retail xstore point of service, oracle retail service backbone, oracle retail sales audit, oracle retail merchandising system, oracle primavera unifier, oracle jd edwards enterpriseone tools, oracle jd edwards enterpriseone orchestrator, oracle insurance policy administration j2ee, oracle global lifecycle management opatch, oracle financial services retail customer analytics, oracle financial services price creation and discovery, oracle financial services institutional performance analytics, oracle financial services analytical applications infrastructure, oracle enterprise manager base platform, oracle communications session route manager, oracle communications session report manager, oracle communications network charging and control, oracle communications instant messaging server, oracle communications evolved communications application server, oracle communications element manager, oracle communications diameter signaling router, oracle communications contacts server, oracle communications calendar server, oracle banking platform, oracle banking digital experience, oracle autovue for agile product lifecycle management, oracle agile plm, netapp active iq unified manager, and debian debian linux, at the moment, there is no information about a newer version that contains a fix for this vulnerability.