CVE-2017-15095

Description

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

CVSS Metrics

• v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
• v2.0•HIGH•Score: 7.5AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 7.89%• Percentile: 92%

Techniques & Countermeasures

• CWE-502•Deserialization of Untrusted Data

  The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

• CWE-184•Incomplete List of Disallowed Inputs

  The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

Affected Systems

• debian•debian_linux

  8.0 | 9.0

• fasterxml•jackson-databind

  ≥ 2.0.0, < 2.6.7.2 | ≥ 2.7.0, < 2.7.9.2 | ≥ 2.8.0, < 2.8.10 | 2.9.0 | 2.9.0:prerelease1 | 2.9.0:prerelease2 | 2.9.0:prerelease3 | 2.9.0:prerelease4 | < 2.8.10 | < 2.9.1

• com.fasterxml.jackson.core•jackson-databind

  ≥ 2.8.0, < 2.8.11 | ≥ 2.9.0, < 2.9.4 | ≥ 2.0.0, < 2.6.7.3 | ≥ 2.7.0, < 2.7.9.2

• netapp•oncommand_balance

  na

• netapp•oncommand_performance_manager

  na

• netapp•oncommand_shift

  na

• netapp•snapcenter

  na

• oracle•banking_platform

  2.5.0 | 2.6.0 | 2.6.1 | 2.6.2

• oracle•clusterware

  12.1.0.2.0

• oracle•communications_billing_and_revenue_management

  7.5 | 12.0

• oracle•communications_diameter_signaling_router

  < 8.3

• oracle•communications_instant_messaging_server

  10.0.1.2.0

• oracle•database_server

  12.2.0.1 | 18.1

• oracle•enterprise_manager_for_virtualization

  13.2.2 | 13.2.3 | 13.3.1

• oracle•financial_services_analytical_applications_infrastructure

  8.0.2 | 8.0.3 | 8.0.4 | 8.0.5 | 8.0.6 | 8.0.7

• oracle•global_lifecycle_management_opatchauto

  < 12.2.0.1.14

• oracle•identity_manager

  11.1.2.3.0 | 12.2.1.3.0

• oracle•jd_edwards_enterpriseone_tools

  9.2

• oracle•primavera_unifier

  ≥ 17.1, ≤ 17.12 | 16.1 | 16.2 | 18.8

• oracle•utilities_advanced_spatial_and_operational_analytics

  2.7.0.1

• oracle•webcenter_portal

  12.2.1.3.0

• redhat•jboss_enterprise_application_platform

  6.0.0 | 6.4.0 | 7.1.0

• redhat•openshift_container_platform

  3.11 | 4.1

• redhat•satellite

  6.4

• redhat•satellite_capsule

  6.4

References (44)

• https://access.redhat.com/errata/RHSA-2018:1448
• http://www.securityfocus.com/bid/103880
• https://access.redhat.com/errata/RHSA-2018:0479
• https://access.redhat.com/errata/RHSA-2018:0481
• https://access.redhat.com/errata/RHSA-2018:1449
• https://access.redhat.com/errata/RHSA-2018:1450
• https://access.redhat.com/errata/RHSA-2018:0577
• https://access.redhat.com/errata/RHSA-2018:0576
• https://access.redhat.com/errata/RHSA-2017:3190
• https://access.redhat.com/errata/RHSA-2018:1451
• https://access.redhat.com/errata/RHSA-2017:3189
• https://access.redhat.com/errata/RHSA-2018:2927
• http://www.securitytracker.com/id/1039769
• https://access.redhat.com/errata/RHSA-2018:0342
• https://access.redhat.com/errata/RHSA-2018:0480
• https://access.redhat.com/errata/RHSA-2018:1447
• https://access.redhat.com/errata/RHSA-2018:0478
• https://www.debian.org/security/2017/dsa-4037
• https://access.redhat.com/errata/RHSA-2019:2858
• https://access.redhat.com/errata/RHSA-2019:3149
• https://access.redhat.com/errata/RHSA-2019:3892
• https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629%40%3Csolr-user.lucene.apache.org%3E
• https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html
• http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
• http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
• http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
• https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
• https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://security.netapp.com/advisory/ntap-20171214-0003/
• https://github.com/FasterXML/jackson-databind/issues/1737
• https://github.com/FasterXML/jackson-databind/issues/1680
• https://nvd.nist.gov/vuln/detail/CVE-2017-15095
• https://github.com/FasterXML/jackson-databind/commit/a054585e2175ad0882f07bcafedecfac86230f1b
• https://github.com/FasterXML/jackson-databind/commit/a3939d36edcc755c8af55bdc1969e0fa8438f9db
• https://github.com/FasterXML/jackson-databind/commit/ddfddfba6414adbecaff99684ef66eebd3a92e92
• https://github.com/FasterXML/jackson-databind/commit/e865a7a4464da63ded9f4b1a2328ad85c9ded78b
• https://github.com/FasterXML/jackson-databind/commit/e8f043d1aac9b82eee907e0f0c3abbdea723a935
• https://github.com/tolbertam/jackson-databind/commit/80566a0f96b2003863f9d8f9ccc3b562001e147b
• https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629@%3Csolr-user.lucene.apache.org%3E
• https://security.netapp.com/advisory/ntap-20171214-0003
• https://web.archive.org/web/20200401000000*/http://www.securityfocus.com/bid/103880
• https://web.archive.org/web/20201221192044/http://www.securitytracker.com/id/1039769
• https://github.com/FasterXML/jackson-databind