Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2018-7489

Опубликовано: 26 фев. 2018
Источник: redhat
CVSS3: 8.1
EPSS Средний

Описание

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

Отчет

Subscription Asset Manager is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates. Satellite 6.2 does not support c3p0 classes. Since the latter are required for this flaw, therefore Satellite 6.2 is not affected. Satellite 6.3 and 6.4 are not affected because Candlepin does not use polymorphic deserialization.

Меры по смягчению последствий

Advice on how to remain safe while using JAX-RS webservices on JBoss EAP 7.x is available here: https://access.redhat.com/solutions/3279231 https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization General Mitigation: Try to avoid

  • Deserialization from sources you do not control
  • enableDefaultTyping()
  • @JsonTypeInfo using id.CLASSorid.MINIMAL_CLASS`

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat BPM Suite 6jackson-databindAffected
Red Hat Fuse 7CamelAffected
Red Hat JBoss A-MQ 6jackson-databindWill not fix
Red Hat JBoss BRMS 6jackson-databindAffected
Red Hat JBoss Data Grid 7jackson-databindNot affected
Red Hat JBoss Data Virtualization 6jackson-databindWill not fix
Red Hat JBoss Fuse 6jackson-databindWill not fix
Red Hat JBoss Fuse Integration Service 2jackson-databindAffected
Red Hat JBoss Operations Network 3Core ServerWill not fix
Red Hat Mobile Application Platform 4jackson-databindNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-20
https://bugzilla.redhat.com/show_bug.cgi?id=1549276jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries

EPSS

Процентиль: 97%
0.36207
Средний

8.1 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2018-7489

CVSS3: 9.8
ubuntu
почти 8 лет назад

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

nvd логотип

CVE-2018-7489

CVSS3: 9.8
nvd
почти 8 лет назад

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

debian логотип

CVE-2018-7489

CVSS3: 9.8
debian
почти 8 лет назад

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2 ...

github логотип

GHSA-cggj-fvv3-cqwv

CVSS3: 9.8
github
больше 7 лет назад

FasterXML jackson-databind allows unauthenticated remote code execution

fstec логотип

BDU:2018-00945

CVSS3: 9.8
fstec
почти 8 лет назад

Уязвимость компонента ObjectMapper библиотеки FasterXML jackson-databind, позволяющая нарушителю обойти ограничения «черного списка» и выполнить произвольный код

EPSS

Процентиль: 97%
0.36207
Средний

8.1 High

CVSS3