CVE-2017-15095

Опубликовано: 06 фев. 2018

Источник: nvd

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

Ссылки

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Patch
Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
Patch
Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
Patch
Third Party Advisory
http://www.securityfocus.com/bid/103880
Third Party Advisory
VDB Entry
http://www.securitytracker.com/id/1039769
Third Party Advisory
VDB Entry
https://access.redhat.com/errata/RHSA-2017:3189
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3190
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0342
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0478
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0479
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0480
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0481
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0576
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0577
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1447
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1448
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1449
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1450
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1451
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2927
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*

Версия от 2.0.0 (включая) до 2.6.7.2 (исключая)

cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*

Версия от 2.7.0 (включая) до 2.7.9.2 (исключая)

cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*

Версия от 2.8.0 (включая) до 2.8.10 (исключая)

cpe:2.3:a:fasterxml:jackson-databind:2.9.0:-:*:*:*:*:*:*

cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease1:*:*:*:*:*:*

cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease2:*:*:*:*:*:*

cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease3:*:*:*:*:*:*

cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease4:*:*:*:*:*:*

Конфигурация 2

Одно из

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Конфигурация 3

Одно из

cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*

cpe:2.3:a:redhat:satellite:6.4:*:*:*:*:*:*:*

cpe:2.3:a:redhat:satellite_capsule:6.4:*:*:*:*:*:*:*

Конфигурация 4

Одновременно

cpe:2.3:a:redhat:openshift_container_platform:4.1:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*

Конфигурация 5

Одновременно

Одно из

cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:*:*:*:*:*:*:*

cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4.0:*:*:*:*:*:*:*

Одно из

cpe:2.3:o:redhat:enterprise_linux:5.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*

Конфигурация 6

Одновременно

cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.1.0:*:*:*:*:*:*:*

Одно из

cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*

Конфигурация 7

Одно из

cpe:2.3:a:netapp:oncommand_balance:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:oncommand_performance_manager:-:*:*:*:*:linux:*:*

cpe:2.3:a:netapp:oncommand_performance_manager:-:*:*:*:*:vmware_vsphere:*:*

cpe:2.3:a:netapp:oncommand_shift:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*

Конфигурация 8

Одно из

cpe:2.3:a:oracle:banking_platform:2.5.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:clusterware:12.1.0.2.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*

Версия до 8.3 (исключая)

cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.2.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:database_server:12.2.0.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:database_server:18.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.2.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.2.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.3.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.5:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7:*:*:*:*:*:*:*

cpe:2.3:a:oracle:global_lifecycle_management_opatchauto:*:*:*:*:*:*:*:*

Версия до 12.2.0.1.14 (исключая)

cpe:2.3:a:oracle:identity_manager:11.1.2.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:identity_manager:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*

Версия от 17.1 (включая) до 17.12 (включая)

cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*

cpe:2.3:a:oracle:utilities_advanced_spatial_and_operational_analytics:2.7.0.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*

EPSS

Процентиль: 93%

0.09261

Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-184

CWE-502

Связанные уязвимости

CVE-2017-15095

CVSS3: 9.8

ubuntu

около 8 лет назад

CVE-2017-15095

CVSS3: 8.1

redhat

больше 8 лет назад

CVE-2017-15095

CVSS3: 9.8

debian

около 8 лет назад

A deserialization flaw was discovered in the jackson-databind in versi ...

GHSA-h592-38cm-4ggp

CVSS3: 9.8

github

больше 7 лет назад

jackson-databind vulnerable to deserialization flaw leading to unauthenticated remote code execution

EPSS

Процентиль: 93%

0.09261

Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-184

CWE-502