FasterXML jackson-databind November 11, 2018 update

  • Posted January 29, 2019

  • Assessed Risk Level: High

On November 28, 2018, FasterXML published a security update addressing several vulnerabilities including CVE-2018-7489. Puppet Enterprise 2019.0.2 and 2018.1.7 ship with an updated version of jackson-databind and PuppetDB excludes jackson-databind entirely.

For more information about the vulnerabilities, refer to the Faster XML security announcement.

Status:

Affected software versions:

  • Puppet Enterprise prior to 2019.0.2
  • Puppet Enterprise prior to 2018.1.7

Resolved in:

  • Puppet Enterprise 2019.0.2
  • Puppet Enterprise 2018.1.7