Description

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

Remediation

References

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

http://www.securityfocus.com/bid/103880

http://www.securitytracker.com/id/1039769

https://access.redhat.com/errata/RHSA-2017:3189

https://access.redhat.com/errata/RHSA-2017:3190

https://access.redhat.com/errata/RHSA-2018:0342

https://access.redhat.com/errata/RHSA-2018:0478

https://access.redhat.com/errata/RHSA-2018:0479

https://access.redhat.com/errata/RHSA-2018:0480

https://access.redhat.com/errata/RHSA-2018:0481

https://access.redhat.com/errata/RHSA-2018:0576

https://access.redhat.com/errata/RHSA-2018:0577

https://access.redhat.com/errata/RHSA-2018:1447

https://access.redhat.com/errata/RHSA-2018:1448

https://access.redhat.com/errata/RHSA-2018:1449

https://access.redhat.com/errata/RHSA-2018:1450

https://access.redhat.com/errata/RHSA-2018:1451

https://access.redhat.com/errata/RHSA-2018:2927

https://access.redhat.com/errata/RHSA-2019:2858

https://access.redhat.com/errata/RHSA-2019:3149

https://access.redhat.com/errata/RHSA-2019:3892

https://github.com/FasterXML/jackson-databind/issues/1680

https://github.com/FasterXML/jackson-databind/issues/1737

https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629%40%3Csolr-user.lucene.apache.org%3E

https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html

https://security.netapp.com/advisory/ntap-20171214-0003/

https://www.debian.org/security/2017/dsa-4037

https://www.oracle.com/security-alerts/cpuoct2020.html

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Related Vulnerabilities

CVE-2020-7649 Vulnerability in npm package snyk-broker

CVE-2021-29441 Vulnerability in maven package com.alibaba.nacos:nacos-common

CVE-2022-39259 Vulnerability in maven package io.github.skylot:jadx-plugins-api

CVE-2020-28469 Vulnerability in maven package org.webjars.bowergithub.es128:glob-parent

CVE-2021-27906 Vulnerability in maven package org.apache.pdfbox:pdfbox

Severity

Critical

Classification

CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Patch Third Party Advisory VDB Entry Issue Tracking Mailing List