CVE-2018-7489
Description
FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
Response: Because Authentication Manager uses WebLogic as a framework with AM components as applications in that framework, RSA cannot say definitively that The flaw exists but cannot be exploited. However, RSA can say that in order to exploit this vulnerability on an AM appliance, it would require an interface in WebLogic (independent of AM) which passed the JSON data directly to WebLogic and was available to attackers. As Auth Manager is deployed, this required extra-AM interface does not exist.
CVE-2022-42004Description
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
Response: The flaw exists but cannot be exploited.
The RSA Authentication Manager does not use this feature. The setting "DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS" is required for the issues but not used in AM.
CVE-2022-42003
Description
In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1
Response: The flaw exists but cannot be exploited.
The RSA Authentication Manager does not use this feature. The setting "DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS" is required for the issues but not used in AM.
