Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2017-15095

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

Published

2018-02-06T15:29:00.233

Last Modified

2024-11-21T03:14:03.620

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

6.4

Weaknesses

Type: Secondary
CWE-184
Type: Primary
CWE-502

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	fasterxml	jackson-databind	< 2.6.7.2	Yes
Application	fasterxml	jackson-databind	< 2.7.9.2	Yes
Application	fasterxml	jackson-databind	< 2.8.10	Yes
Application	fasterxml	jackson-databind	2.9.0	Yes
Application	fasterxml	jackson-databind	2.9.0	Yes
Application	fasterxml	jackson-databind	2.9.0	Yes
Application	fasterxml	jackson-databind	2.9.0	Yes
Application	fasterxml	jackson-databind	2.9.0	Yes
Operating System	debian	debian_linux	8.0	Yes
Operating System	debian	debian_linux	9.0	Yes
Application	redhat	openshift_container_platform	3.11	Yes
Application	redhat	satellite	6.4	Yes
Application	redhat	satellite_capsule	6.4	Yes
Application	redhat	openshift_container_platform	4.1	Yes
Operating System	redhat	enterprise_linux	7.0	No
Application	redhat	jboss_enterprise_application_platform	6.0.0	Yes
Application	redhat	jboss_enterprise_application_platform	6.4.0	Yes
Operating System	redhat	enterprise_linux	5.0	No
Operating System	redhat	enterprise_linux	6.0	No
Operating System	redhat	enterprise_linux	7.0	No
Application	redhat	jboss_enterprise_application_platform	7.1.0	Yes
Operating System	redhat	enterprise_linux	6.0	No
Operating System	redhat	enterprise_linux	7.0	No
Application	netapp	oncommand_balance	-	Yes
Application	netapp	oncommand_performance_manager	-	Yes
Application	netapp	oncommand_performance_manager	-	Yes
Application	netapp	oncommand_shift	-	Yes
Application	netapp	snapcenter	-	Yes
Application	oracle	banking_platform	2.5.0	Yes
Application	oracle	banking_platform	2.6.0	Yes
Application	oracle	banking_platform	2.6.1	Yes
Application	oracle	banking_platform	2.6.2	Yes
Application	oracle	clusterware	12.1.0.2.0	Yes
Application	oracle	communications_billing_and_revenue_management	7.5	Yes
Application	oracle	communications_billing_and_revenue_management	12.0	Yes
Application	oracle	communications_diameter_signaling_router	< 8.3	Yes
Application	oracle	communications_instant_messaging_server	10.0.1.2.0	Yes
Application	oracle	database_server	12.2.0.1	Yes
Application	oracle	database_server	18.1	Yes
Application	oracle	enterprise_manager_for_virtualization	13.2.2	Yes
Application	oracle	enterprise_manager_for_virtualization	13.2.3	Yes
Application	oracle	enterprise_manager_for_virtualization	13.3.1	Yes
Application	oracle	financial_services_analytical_applications_infrastructure	8.0.2	Yes
Application	oracle	financial_services_analytical_applications_infrastructure	8.0.3	Yes
Application	oracle	financial_services_analytical_applications_infrastructure	8.0.4	Yes
Application	oracle	financial_services_analytical_applications_infrastructure	8.0.5	Yes
Application	oracle	financial_services_analytical_applications_infrastructure	8.0.6	Yes
Application	oracle	financial_services_analytical_applications_infrastructure	8.0.7	Yes
Application	oracle	global_lifecycle_management_opatchauto	< 12.2.0.1.14	Yes
Application	oracle	identity_manager	11.1.2.3.0	Yes
Application	oracle	identity_manager	12.2.1.3.0	Yes
Application	oracle	jd_edwards_enterpriseone_tools	9.2	Yes
Application	oracle	primavera_unifier	≤ 17.12	Yes
Application	oracle	primavera_unifier	16.1	Yes
Application	oracle	primavera_unifier	16.2	Yes
Application	oracle	primavera_unifier	18.8	Yes
Application	oracle	utilities_advanced_spatial_and_operational_analytics	2.7.0.1	Yes
Application	oracle	webcenter_portal	12.2.1.3.0	Yes

References

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html Patch, Third Party Advisory ([email protected])
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html Patch, Third Party Advisory ([email protected])
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html Patch, Third Party Advisory ([email protected])
http://www.securityfocus.com/bid/103880 Third Party Advisory, VDB Entry ([email protected])
http://www.securitytracker.com/id/1039769 Third Party Advisory, VDB Entry ([email protected])
https://access.redhat.com/errata/RHSA-2017:3189 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2017:3190 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2018:0342 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2018:0478 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2018:0479 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2018:0480 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2018:0481 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2018:0576 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2018:0577 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2018:1447 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2018:1448 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2018:1449 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2018:1450 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2018:1451 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2018:2927 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:2858 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:3149 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:3892 Third Party Advisory ([email protected])
https://github.com/FasterXML/jackson-databind/issues/1680 Issue Tracking, Third Party Advisory ([email protected])
https://github.com/FasterXML/jackson-databind/issues/1737 Issue Tracking, Patch, Third Party Advisory ([email protected])
https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629%40%3Csolr-user.lucene.apache.org%3E ([email protected])
https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html Mailing List, Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20171214-0003/ Third Party Advisory ([email protected])
https://www.debian.org/security/2017/dsa-4037 Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpuoct2020.html Third Party Advisory ([email protected])
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html Patch, Third Party Advisory ([email protected])
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/103880 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.securitytracker.com/id/1039769 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2017:3189 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2017:3190 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:0342 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:0478 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:0479 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:0480 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:0481 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:0576 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:0577 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:1447 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:1448 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:1449 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:1450 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:1451 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:2927 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:2858 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:3149 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:3892 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/FasterXML/jackson-databind/issues/1680 Issue Tracking, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/FasterXML/jackson-databind/issues/1737 Issue Tracking, Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629%40%3Csolr-user.lucene.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20171214-0003/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2017/dsa-4037 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuoct2020.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)