Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2017-15095

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

Security Impact Summary

This vulnerability carries a CRITICAL severity rating with a CVSS v3.1 score of 9.8, indicating it can be exploited remotely over the network with relatively low complexity without requiring user interaction and does not require pre-existing privileges . The vulnerability impacts confidentiality (data exposure), integrity (unauthorized modifications), and availability (service disruption) for affected systems. Impacting 25 products from fasterxml, from debian, from redhat and 22 others, organizations running these solutions should prioritize assessment and patching.

Historical Context

First disclosed in 2018, this vulnerability was reported during a period defined by widespread IoT adoption challenges, mobile security concerns, and the emergence of advanced persistent threat (APT) techniques. Contemporary mitigation strategies focused on secure development practices and third-party component vetting.

Published

2018-02-06T15:29:00.233

Last Modified

2024-11-21T03:14:03.620

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

  • Access Vector: NETWORK
  • Access Complexity: LOW
  • Authentication: NONE
  • Confidentiality Impact: PARTIAL
  • Integrity Impact: PARTIAL
  • Availability Impact: PARTIAL
Exploitability Score

10.0

Impact Score

6.4

Weaknesses
  • Type: Secondary
    CWE-184
  • Type: Primary
    CWE-502
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application fasterxml jackson-databind < 2.6.7.2 Yes
Application fasterxml jackson-databind < 2.7.9.2 Yes
Application fasterxml jackson-databind < 2.8.10 Yes
Application fasterxml jackson-databind 2.9.0 Yes
Application fasterxml jackson-databind 2.9.0 Yes
Application fasterxml jackson-databind 2.9.0 Yes
Application fasterxml jackson-databind 2.9.0 Yes
Application fasterxml jackson-databind 2.9.0 Yes
Operating System debian debian_linux 8.0 Yes
Operating System debian debian_linux 9.0 Yes
Application redhat openshift_container_platform 3.11 Yes
Application redhat satellite 6.4 Yes
Application redhat satellite_capsule 6.4 Yes
Application redhat openshift_container_platform 4.1 Yes
Operating System redhat enterprise_linux 7.0 No
Application redhat jboss_enterprise_application_platform 6.0.0 Yes
Application redhat jboss_enterprise_application_platform 6.4.0 Yes
Operating System redhat enterprise_linux 5.0 No
Operating System redhat enterprise_linux 6.0 No
Operating System redhat enterprise_linux 7.0 No
Application redhat jboss_enterprise_application_platform 7.1.0 Yes
Operating System redhat enterprise_linux 6.0 No
Operating System redhat enterprise_linux 7.0 No
Application netapp oncommand_balance - Yes
Application netapp oncommand_performance_manager - Yes
Application netapp oncommand_performance_manager - Yes
Application netapp oncommand_shift - Yes
Application netapp snapcenter - Yes
Application oracle banking_platform 2.5.0 Yes
Application oracle banking_platform 2.6.0 Yes
Application oracle banking_platform 2.6.1 Yes
Application oracle banking_platform 2.6.2 Yes
Application oracle clusterware 12.1.0.2.0 Yes
Application oracle communications_billing_and_revenue_management 7.5 Yes
Application oracle communications_billing_and_revenue_management 12.0 Yes
Application oracle communications_diameter_signaling_router < 8.3 Yes
Application oracle communications_instant_messaging_server 10.0.1.2.0 Yes
Application oracle database_server 12.2.0.1 Yes
Application oracle database_server 18.1 Yes
Application oracle enterprise_manager_for_virtualization 13.2.2 Yes
Application oracle enterprise_manager_for_virtualization 13.2.3 Yes
Application oracle enterprise_manager_for_virtualization 13.3.1 Yes
Application oracle financial_services_analytical_applications_infrastructure 8.0.2 Yes
Application oracle financial_services_analytical_applications_infrastructure 8.0.3 Yes
Application oracle financial_services_analytical_applications_infrastructure 8.0.4 Yes
Application oracle financial_services_analytical_applications_infrastructure 8.0.5 Yes
Application oracle financial_services_analytical_applications_infrastructure 8.0.6 Yes
Application oracle financial_services_analytical_applications_infrastructure 8.0.7 Yes
Application oracle global_lifecycle_management_opatchauto < 12.2.0.1.14 Yes
Application oracle identity_manager 11.1.2.3.0 Yes
Application oracle identity_manager 12.2.1.3.0 Yes
Application oracle jd_edwards_enterpriseone_tools 9.2 Yes
Application oracle primavera_unifier ≤ 17.12 Yes
Application oracle primavera_unifier 16.1 Yes
Application oracle primavera_unifier 16.2 Yes
Application oracle primavera_unifier 18.8 Yes
Application oracle utilities_advanced_spatial_and_operational_analytics 2.7.0.1 Yes
Application oracle webcenter_portal 12.2.1.3.0 Yes
References

How SecUtils Interprets This CVE

SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For fasterxml's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.