Vulnerabilities > CVE-2018-7489 - Deserialization of Untrusted Data vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-1451.NASL description An update for jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). With this update, the jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 6.4.19. Security Fix(es) : * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) (CVE-2017-15095) * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485) * slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088) * Apache ActiveMQ Artemis: Deserialization of untrusted input vulnerability (CVE-2016-4978) * solr: Directory traversal via Index Replication HTTP API (CVE-2017-3163) * tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources (CVE-2018-1304) * jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries (CVE-2018-7489) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-15095; 0c0c0f from 360Guan Xing Shi Yan Shi for reporting CVE-2017-17485; and Chris McCown for reporting CVE-2018-8088. last seen 2020-06-01 modified 2020-06-02 plugin id 109838 published 2018-05-16 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109838 title RHEL 6 : eap6-jboss-ec2-eap (RHSA-2018:1451) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2018:1451. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(109838); script_version("1.7"); script_cvs_date("Date: 2019/10/24 15:35:44"); script_cve_id("CVE-2016-4978", "CVE-2017-15095", "CVE-2017-17485", "CVE-2017-3163", "CVE-2018-1304", "CVE-2018-7489", "CVE-2018-8088"); script_xref(name:"RHSA", value:"2018:1451"); script_name(english:"RHEL 6 : eap6-jboss-ec2-eap (RHSA-2018:1451)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An update for jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). With this update, the jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 6.4.19. Security Fix(es) : * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) (CVE-2017-15095) * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485) * slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088) * Apache ActiveMQ Artemis: Deserialization of untrusted input vulnerability (CVE-2016-4978) * solr: Directory traversal via Index Replication HTTP API (CVE-2017-3163) * tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources (CVE-2018-1304) * jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries (CVE-2018-7489) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-15095; 0c0c0f from 360Guan Xing Shi Yan Shi for reporting CVE-2017-17485; and Chris McCown for reporting CVE-2018-8088." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/documentation/en-us/" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2018:1451" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2016-4978" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2017-3163" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2017-15095" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2017-17485" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2018-1304" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2018-7489" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2018-8088" ); script_set_attribute( attribute:"solution", value: "Update the affected jboss-ec2-eap and / or jboss-ec2-eap-samples packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-ec2-eap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-ec2-eap-samples"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/09/27"); script_set_attribute(attribute:"patch_publication_date", value:"2018/05/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/16"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2018:1451"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL6", reference:"jboss-ec2-eap-7.5.20-1.Final_redhat_1.ep6.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"jboss-ec2-eap-samples-7.5.20-1.Final_redhat_1.ep6.el6")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "jboss-ec2-eap / jboss-ec2-eap-samples"); } }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-1449.NASL description An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 6.4.20 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.19, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) (CVE-2017-15095) * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485) * slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088) * Apache ActiveMQ Artemis: Deserialization of untrusted input vulnerability (CVE-2016-4978) * solr: Directory traversal via Index Replication HTTP API (CVE-2017-3163) * tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources (CVE-2018-1304) * jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries (CVE-2018-7489) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-15095; 0c0c0f from 360Guan Xing Shi Yan Shi for reporting CVE-2017-17485; and Chris McCown for reporting CVE-2018-8088. last seen 2020-06-01 modified 2020-06-02 plugin id 109906 published 2018-05-18 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109906 title RHEL 6 : JBoss EAP (RHSA-2018:1449) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_93F8E0FFF33D11E8BE460019DBB15B3F.NASL description FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath. last seen 2020-06-01 modified 2020-06-02 plugin id 119272 published 2018-11-29 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119272 title FreeBSD : payara -- Default typing issue in Jackson Databind (93f8e0ff-f33d-11e8-be46-0019dbb15b3f) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-1448.NASL description An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 6.4.20 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.19, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) (CVE-2017-15095) * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485) * slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088) * Apache ActiveMQ Artemis: Deserialization of untrusted input vulnerability (CVE-2016-4978) * solr: Directory traversal via Index Replication HTTP API (CVE-2017-3163) * tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources (CVE-2018-1304) * jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries (CVE-2018-7489) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-15095; 0c0c0f from 360Guan Xing Shi Yan Shi for reporting CVE-2017-17485; and Chris McCown for reporting CVE-2018-8088. last seen 2020-06-01 modified 2020-06-02 plugin id 109905 published 2018-05-18 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109905 title RHEL 7 : JBoss EAP (RHSA-2018:1448) NASL family Fedora Local Security Checks NASL id FEDORA_2018-633ACF0ED6.NASL description Security fix for CVE-2018-7489 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2019-01-03 plugin id 120474 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120474 title Fedora 28 : jackson-databind (2018-633acf0ed6) NASL family CGI abuses NASL id ACTIVEMQ_5_15_5.NASL description The version of Apache ActiveMQ running on the remote host is 5.x prior to 5.15.5. It is, therefore, affected by multiple vulnerabilities. last seen 2020-06-01 modified 2020-06-02 plugin id 112192 published 2018-08-30 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112192 title Apache ActiveMQ 5.x < 5.15.5 Multiple Vulnerabilities NASL family Databases NASL id ORACLE_RDBMS_CPU_OCT_2018.NASL description The remote Oracle Database Server is missing the October 2018 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities, including remote code execution, as noted in the October 2018 Critical Patch Update advisory. Please consult the CVRF details for the applicable CVEs for additional information. Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-02 modified 2018-10-19 plugin id 118230 published 2018-10-19 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118230 title Oracle Database Server Multiple Vulnerabilities (October 2018 CPU) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-2089.NASL description An update is now available for Red Hat JBoss Enterprise Application Platform 7.1 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 7.1.3 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.1.2, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries (CVE-2018-7489) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 110797 published 2018-06-29 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110797 title RHEL 7 : JBoss EAP (RHSA-2018:2089) NASL family Misc. NASL id ORACLE_WEBLOGIC_SERVER_CPU_JUL_2018.NASL description The version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities: - An unspecified vulnerability in the Spring Framework (Sample Apps) subcomponent in Oracle WebLogic allows an unauthenticated, remote attacker to takeover a WebLogic server. (CVE-2018-1275) - An unspecified vulnerability in the WLS Core Components subcomponent in Oracle WebLogic allows an unauthenticated, remote attacker to takeover a WebLogic server. (CVE-2018-2893) - An unspecified vulnerability in the WLS - Web Services subcomponent in Oracle WebLogic allows an unauthenticated, remote attacker with HTTP access to compromise and takeover a WebLogic server. (CVE-2018-2894) In addition, Oracle WebLogic Server is affected by several other lower scoring vulnerabilities in the WLS Core Components, JSF, SAML, and Console (jackson-databind) subcomponents. Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 111209 published 2018-07-20 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111209 title Oracle WebLogic Server Multiple Vulnerabilities (July 2018 CPU) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4190.NASL description It was discovered that jackson-databind, a Java library used to parse JSON and other data formats, improperly validated user input prior to deserializing because of an incomplete fix for CVE-2017-7525. last seen 2020-06-01 modified 2020-06-02 plugin id 109557 published 2018-05-04 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109557 title Debian DSA-4190-1 : jackson-databind - security update NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-2090.NASL description An update is now available for Red Hat JBoss Enterprise Application Platform 7.1 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 7.1.3 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.1.2, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries (CVE-2018-7489) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 110798 published 2018-06-29 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110798 title RHEL 6 : JBoss EAP (RHSA-2018:2090) NASL family CGI abuses NASL id ORACLE_PRIMAVERA_GATEWAY_CPU_OCT_2018.NASL description According to its self-reported version number, the Oracle Primavera Gateway installation running on the remote web server is 15.x prior to 15.2.15, 16.x prior to 16.2.8, or 17.x prior to 17.12.3. It is, therefore, affected by multiple vulnerabilities. Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-04-30 modified 2018-11-02 plugin id 118714 published 2018-11-02 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118714 title Oracle Primavera Gateway Multiple Vulnerabilities (Oct 2018 CPU)
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
References
- https://github.com/FasterXML/jackson-databind/issues/1931
- http://www.securityfocus.com/bid/103203
- https://security.netapp.com/advisory/ntap-20180328-0001/
- http://www.securitytracker.com/id/1040693
- http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
- https://www.debian.org/security/2018/dsa-4190
- https://access.redhat.com/errata/RHSA-2018:1451
- https://access.redhat.com/errata/RHSA-2018:1450
- https://access.redhat.com/errata/RHSA-2018:1449
- https://access.redhat.com/errata/RHSA-2018:1448
- https://access.redhat.com/errata/RHSA-2018:1447
- https://access.redhat.com/errata/RHSA-2018:1786
- https://access.redhat.com/errata/RHSA-2018:2090
- https://access.redhat.com/errata/RHSA-2018:2089
- https://access.redhat.com/errata/RHSA-2018:2088
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
- http://www.securitytracker.com/id/1041890
- https://access.redhat.com/errata/RHSA-2018:2939
- https://access.redhat.com/errata/RHSA-2018:2938
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://access.redhat.com/errata/RHSA-2019:2858
- https://access.redhat.com/errata/RHSA-2019:3149
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1%40%3Ccommits.druid.apache.org%3E