ID CVE-2017-15095
Summary A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
References
Vulnerable Configurations
  • FasterXML Jackson-databind 2.0.0
    cpe:2.3:a:fasterxml:jackson-databind:2.0.0
  • FasterXML Jackson-databind 2.0.0 Release Candidate 1
    cpe:2.3:a:fasterxml:jackson-databind:2.0.0:rc1
  • FasterXML Jackson-databind 2.0.0 Release Candidate 2
    cpe:2.3:a:fasterxml:jackson-databind:2.0.0:rc2
  • FasterXML Jackson-databind 2.0.0 Release Candidate 3
    cpe:2.3:a:fasterxml:jackson-databind:2.0.0:rc3
  • FasterXML Jackson-databind 2.0.1
    cpe:2.3:a:fasterxml:jackson-databind:2.0.1
  • FasterXML Jackson-databind 2.0.2
    cpe:2.3:a:fasterxml:jackson-databind:2.0.2
  • FasterXML Jackson-databind 2.0.4
    cpe:2.3:a:fasterxml:jackson-databind:2.0.4
  • FasterXML Jackson-databind 2.0.5
    cpe:2.3:a:fasterxml:jackson-databind:2.0.5
  • FasterXML Jackson-databind 2.0.6
    cpe:2.3:a:fasterxml:jackson-databind:2.0.6
  • FasterXML Jackson-databind 2.1.0
    cpe:2.3:a:fasterxml:jackson-databind:2.1.0
  • FasterXML Jackson-databind 2.1.1
    cpe:2.3:a:fasterxml:jackson-databind:2.1.1
  • FasterXML Jackson-databind 2.1.2
    cpe:2.3:a:fasterxml:jackson-databind:2.1.2
  • FasterXML Jackson-databind 2.1.3
    cpe:2.3:a:fasterxml:jackson-databind:2.1.3
  • FasterXML Jackson-databind 2.1.4
    cpe:2.3:a:fasterxml:jackson-databind:2.1.4
  • FasterXML Jackson-databind 2.1.5
    cpe:2.3:a:fasterxml:jackson-databind:2.1.5
  • FasterXML Jackson-databind 2.2.0
    cpe:2.3:a:fasterxml:jackson-databind:2.2.0
  • FasterXML Jackson-databind 2.2.0 Release Candidate 1
    cpe:2.3:a:fasterxml:jackson-databind:2.2.0:rc1
  • FasterXML Jackson-databind 2.2.1
    cpe:2.3:a:fasterxml:jackson-databind:2.2.1
  • FasterXML Jackson-databind 2.2.2
    cpe:2.3:a:fasterxml:jackson-databind:2.2.2
  • FasterXML Jackson-databind 2.2.3
    cpe:2.3:a:fasterxml:jackson-databind:2.2.3
  • FasterXML Jackson-databind 2.2.4
    cpe:2.3:a:fasterxml:jackson-databind:2.2.4
  • FasterXML Jackson-databind 2.3.0
    cpe:2.3:a:fasterxml:jackson-databind:2.3.0
  • FasterXML Jackson-databind 2.3.0 Release Candidate 1
    cpe:2.3:a:fasterxml:jackson-databind:2.3.0:rc1
  • FasterXML Jackson-databind 2.3.1
    cpe:2.3:a:fasterxml:jackson-databind:2.3.1
  • FasterXML Jackson-databind 2.3.2
    cpe:2.3:a:fasterxml:jackson-databind:2.3.2
  • FasterXML Jackson-databind 2.3.3
    cpe:2.3:a:fasterxml:jackson-databind:2.3.3
  • FasterXML Jackson-databind 2.3.4
    cpe:2.3:a:fasterxml:jackson-databind:2.3.4
  • FasterXML Jackson-databind 2.3.5
    cpe:2.3:a:fasterxml:jackson-databind:2.3.5
  • FasterXML Jackson-databind 2.4.0
    cpe:2.3:a:fasterxml:jackson-databind:2.4.0
  • FasterXML Jackson-databind 2.4.0 Release Candidate 1
    cpe:2.3:a:fasterxml:jackson-databind:2.4.0:rc1
  • FasterXML Jackson-databind 2.4.0 Release Candidate 2
    cpe:2.3:a:fasterxml:jackson-databind:2.4.0:rc2
  • FasterXML Jackson-databind 2.4.0 Release Candidate 3
    cpe:2.3:a:fasterxml:jackson-databind:2.4.0:rc3
  • FasterXML Jackson-databind 2.4.1
    cpe:2.3:a:fasterxml:jackson-databind:2.4.1
  • FasterXML Jackson-databind 2.4.1.1
    cpe:2.3:a:fasterxml:jackson-databind:2.4.1.1
  • FasterXML Jackson-databind 2.4.1.2
    cpe:2.3:a:fasterxml:jackson-databind:2.4.1.2
  • FasterXML Jackson-databind 2.4.1.3
    cpe:2.3:a:fasterxml:jackson-databind:2.4.1.3
  • FasterXML Jackson-databind 2.4.2
    cpe:2.3:a:fasterxml:jackson-databind:2.4.2
  • FasterXML Jackson-databind 2.4.3
    cpe:2.3:a:fasterxml:jackson-databind:2.4.3
  • FasterXML Jackson-databind 2.4.4
    cpe:2.3:a:fasterxml:jackson-databind:2.4.4
  • FasterXML Jackson-databind 2.4.5
    cpe:2.3:a:fasterxml:jackson-databind:2.4.5
  • FasterXML Jackson-databind 2.4.5.1
    cpe:2.3:a:fasterxml:jackson-databind:2.4.5.1
  • FasterXML Jackson-databind 2.4.6
    cpe:2.3:a:fasterxml:jackson-databind:2.4.6
  • FasterXML Jackson-databind 2.4.6.1
    cpe:2.3:a:fasterxml:jackson-databind:2.4.6.1
  • FasterXML Jackson-databind 2.5.0
    cpe:2.3:a:fasterxml:jackson-databind:2.5.0
  • FasterXML Jackson-databind 2.5.0 Release Candidate 1
    cpe:2.3:a:fasterxml:jackson-databind:2.5.0:rc1
  • FasterXML Jackson-databind 2.5.1
    cpe:2.3:a:fasterxml:jackson-databind:2.5.1
  • FasterXML Jackson-databind 2.5.2
    cpe:2.3:a:fasterxml:jackson-databind:2.5.2
  • FasterXML Jackson-databind 2.5.3
    cpe:2.3:a:fasterxml:jackson-databind:2.5.3
  • FasterXML Jackson-databind 2.5.4
    cpe:2.3:a:fasterxml:jackson-databind:2.5.4
  • FasterXML Jackson-databind 2.5.5
    cpe:2.3:a:fasterxml:jackson-databind:2.5.5
  • FasterXML Jackson-databind 2.6.0
    cpe:2.3:a:fasterxml:jackson-databind:2.6.0
  • FasterXML Jackson-databind 2.6.0 Release Candidate 1
    cpe:2.3:a:fasterxml:jackson-databind:2.6.0:rc1
  • FasterXML Jackson-databind 2.6.0 Release Candidate 2
    cpe:2.3:a:fasterxml:jackson-databind:2.6.0:rc2
  • FasterXML Jackson-databind 2.6.0 Release Candidate 3
    cpe:2.3:a:fasterxml:jackson-databind:2.6.0:rc3
  • FasterXML Jackson-databind 2.6.0 Release Candidate 4
    cpe:2.3:a:fasterxml:jackson-databind:2.6.0:rc4
  • FasterXML Jackson-databind 2.6.1
    cpe:2.3:a:fasterxml:jackson-databind:2.6.1
  • FasterXML Jackson-databind 2.6.2
    cpe:2.3:a:fasterxml:jackson-databind:2.6.2
  • FasterXML Jackson-databind 2.6.3
    cpe:2.3:a:fasterxml:jackson-databind:2.6.3
  • FasterXML Jackson-databind 2.6.4
    cpe:2.3:a:fasterxml:jackson-databind:2.6.4
  • FasterXML Jackson-databind 2.6.5
    cpe:2.3:a:fasterxml:jackson-databind:2.6.5
  • FasterXML Jackson-databind 2.6.6
    cpe:2.3:a:fasterxml:jackson-databind:2.6.6
  • FasterXML Jackson-databind 2.6.7
    cpe:2.3:a:fasterxml:jackson-databind:2.6.7
  • FasterXML Jackson-databind 2.6.7.1
    cpe:2.3:a:fasterxml:jackson-databind:2.6.7.1
  • FasterXML Jackson-databind 2.6.7.2
    cpe:2.3:a:fasterxml:jackson-databind:2.6.7.2
  • FasterXML Jackson-databind 2.7.0
    cpe:2.3:a:fasterxml:jackson-databind:2.7.0
  • FasterXML Jackson-databind 2.7.0 Release Candidate 1
    cpe:2.3:a:fasterxml:jackson-databind:2.7.0:rc1
  • FasterXML Jackson-databind 2.7.0 Release Candidate 2
    cpe:2.3:a:fasterxml:jackson-databind:2.7.0:rc2
  • FasterXML Jackson-databind 2.7.0 Release Candidate 3
    cpe:2.3:a:fasterxml:jackson-databind:2.7.0:rc3
  • FasterXML Jackson-databind 2.7.1
    cpe:2.3:a:fasterxml:jackson-databind:2.7.1
  • FasterXML Jackson-databind 2.7.1-1
    cpe:2.3:a:fasterxml:jackson-databind:2.7.1-1
  • FasterXML Jackson-databind 2.7.2
    cpe:2.3:a:fasterxml:jackson-databind:2.7.2
  • FasterXML Jackson-databind 2.7.3
    cpe:2.3:a:fasterxml:jackson-databind:2.7.3
  • FasterXML Jackson-databind 2.7.4
    cpe:2.3:a:fasterxml:jackson-databind:2.7.4
  • FasterXML Jackson-databind 2.7.5
    cpe:2.3:a:fasterxml:jackson-databind:2.7.5
  • FasterXML Jackson-databind 2.7.6
    cpe:2.3:a:fasterxml:jackson-databind:2.7.6
  • FasterXML Jackson-databind 2.7.7
    cpe:2.3:a:fasterxml:jackson-databind:2.7.7
  • FasterXML Jackson-databind 2.7.8
    cpe:2.3:a:fasterxml:jackson-databind:2.7.8
  • FasterXML Jackson-databind 2.7.9
    cpe:2.3:a:fasterxml:jackson-databind:2.7.9
  • FasterXML Jackson-databind 2.7.9.1
    cpe:2.3:a:fasterxml:jackson-databind:2.7.9.1
  • FasterXML Jackson-databind 2.7.9.2
    cpe:2.3:a:fasterxml:jackson-databind:2.7.9.2
  • FasterXML Jackson-databind 2.7.9.3
    cpe:2.3:a:fasterxml:jackson-databind:2.7.9.3
  • FasterXML Jackson-databind 2.7.9.4
    cpe:2.3:a:fasterxml:jackson-databind:2.7.9.4
  • FasterXML Jackson-databind 2.7.9.5
    cpe:2.3:a:fasterxml:jackson-databind:2.7.9.5
  • FasterXML Jackson-databind 2.8.0
    cpe:2.3:a:fasterxml:jackson-databind:2.8.0
  • FasterXML Jackson-databind 2.8.1
    cpe:2.3:a:fasterxml:jackson-databind:2.8.1
  • FasterXML Jackson-databind 2.8.2
    cpe:2.3:a:fasterxml:jackson-databind:2.8.2
  • FasterXML Jackson-databind 2.8.3
    cpe:2.3:a:fasterxml:jackson-databind:2.8.3
  • FasterXML Jackson-databind 2.8.4
    cpe:2.3:a:fasterxml:jackson-databind:2.8.4
  • FasterXML Jackson-databind 2.8.5
    cpe:2.3:a:fasterxml:jackson-databind:2.8.5
  • FasterXML Jackson-databind 2.8.6
    cpe:2.3:a:fasterxml:jackson-databind:2.8.6
  • FasterXML Jackson-databind 2.8.7
    cpe:2.3:a:fasterxml:jackson-databind:2.8.7
  • FasterXML Jackson-databind 2.8.8
    cpe:2.3:a:fasterxml:jackson-databind:2.8.8
  • FasterXML Jackson-databind 2.8.8.1
    cpe:2.3:a:fasterxml:jackson-databind:2.8.8.1
  • FasterXML Jackson-databind 2.8.9
    cpe:2.3:a:fasterxml:jackson-databind:2.8.9
  • FasterXML Jackson-Databind 2.9.0
    cpe:2.3:a:fasterxml:jackson-databind:2.9.0
  • Debian Linux 8.0 (Jessie)
    cpe:2.3:o:debian:debian_linux:8.0
  • Debian Linux 9.0
    cpe:2.3:o:debian:debian_linux:9.0
  • FasterXML Jackson 1.0.0
    cpe:2.3:a:fasterxml:jackson:1.0.0
  • FasterXML Jackson 1.1.0
    cpe:2.3:a:fasterxml:jackson:1.1.0
  • FasterXML Jackson 1.1.2
    cpe:2.3:a:fasterxml:jackson:1.1.2
  • FasterXML Jackson 1.2.0
    cpe:2.3:a:fasterxml:jackson:1.2.0
  • FasterXML Jackson 1.3
    cpe:2.3:a:fasterxml:jackson:1.3
  • FasterXML Jackson 1.4.0
    cpe:2.3:a:fasterxml:jackson:1.4.0
  • FasterXML Jackson 1.4.6
    cpe:2.3:a:fasterxml:jackson:1.4.6
  • FasterXML Jackson 1.5
    cpe:2.3:a:fasterxml:jackson:1.5
  • FasterXML Jackson 1.6
    cpe:2.3:a:fasterxml:jackson:1.6
  • FasterXML Jackson 1.7
    cpe:2.3:a:fasterxml:jackson:1.7
  • FasterXML Jackson 1.8
    cpe:2.3:a:fasterxml:jackson:1.8
  • FasterXML Jackson 1.9
    cpe:2.3:a:fasterxml:jackson:1.9
CVSS
Base: 7.5
Impact:
Exploitability:
CWE CWE-502
CAPEC
nessus via4
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-2927.NASL
    description An update is now available for Red Hat Satellite 6.4 for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat Satellite is a systems management tool for Linux-based infrastructure. It allows for provisioning, remote management, and monitoring of multiple Linux deployments with a single centralized tool. Security Fix(es) : * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) (CVE-2017-15095) * hornetq: XXE/SSRF in XPath selector (CVE-2015-3208) * bouncycastle: Information disclosure in GCMBlockCipher (CVE-2015-6644) * bouncycastle: DSA does not fully validate ASN.1 encoding during signature verification allowing for injection of unsigned data (CVE-2016-1000338) * bouncycastle: Information leak in AESFastEngine class (CVE-2016-1000339) * bouncycastle: Information exposure in DSA signature generation via timing attack (CVE-2016-1000341) * bouncycastle: ECDSA improper validation of ASN.1 encoding of signature (CVE-2016-1000342) * bouncycastle: DHIES implementation allowed the use of ECB mode (CVE-2016-1000344) * bouncycastle: DHIES/ECIES CBC modes are vulnerable to padding oracle attack (CVE-2016-1000345) * bouncycastle: Other party DH public keys are not fully validated (CVE-2016-1000346) * bouncycastle: ECIES implementation allowed the use of ECB mode (CVE-2016-1000352) * logback: Serialization vulnerability in SocketServer and ServerSocketReceiver (CVE-2017-5929) * python-django: Open redirect and possible XSS attack via user-supplied numeric redirect URLs (CVE-2017-7233) * hibernate-validator: Privilege escalation when running under the security manager (CVE-2017-7536) * puppet: Environment leakage in puppet-agent (CVE-2017-10690) * Satellite 6: XSS in discovery rule filter autocomplete functionality (CVE-2017-12175) * foreman: Stored XSS in fact name or value (CVE-2017-15100) * pulp: sensitive credentials revealed through the API (CVE-2018-1090) * foreman: SQL injection due to improper handling of the widget id parameter (CVE-2018-1096) * foreman: Ovirt admin password exposed by foreman API (CVE-2018-1097) * django: Catastrophic backtracking in regular expressions via 'urlize' and 'urlizetrunc' (CVE-2018-7536) * django: Catastrophic backtracking in regular expressions via 'truncatechars_html' and 'truncatewords_html' (CVE-2018-7537) * guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service (CVE-2018-10237) * bouncycastle: Carry propagation bug in math.raw.Nat??? class (CVE-2016-1000340) * bouncycastle: DSA key pair generator generates a weak private key by default (CVE-2016-1000343) * puppet: Unpacking of tarballs in tar/mini.rb can create files with insecure permissions (CVE-2017-10689) * bouncycastle: BKS-V1 keystore files vulnerable to trivial hash collisions (CVE-2018-5382) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-15095; and the Django project for reporting CVE-2017-7233, CVE-2018-7536, and CVE-2018-7537. The CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat); and the CVE-2018-1096 issue was discovered by Martin Povolny (Red Hat). Red Hat would also like to thank David Jorm (IIX Product Security) for reporting CVE-2015-3208. Additional Changes : This update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Release Notes document linked to in the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 118185
    published 2018-10-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118185
    title RHEL 7 : Satellite Server (RHSA-2018:2927)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-0480.NASL
    description An update is now available for Red Hat JBoss Enterprise Application Platform 7.1 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 7.1.1 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.1.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * artemis/hornetq: memory exhaustion via UDP and JGroups discovery (CVE-2017-12174) * infinispan: Unsafe deserialization of malicious object injected into data cache (CVE-2017-15089) * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) (CVE-2017-15095) * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485) * resteasy: Vary header not added by CORS filter leading to cache poisoning (CVE-2017-7561) * undertow: Client can use bogus uri in Digest authentication (CVE-2017-12196) * undertow: ALLOW_ENCODED_SLASH option not taken into account in the AjpRequestParser (CVE-2018-1048) * jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and CVE-2017-17485) (CVE-2018-5968) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 108324
    published 2018-03-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108324
    title RHEL 7 : JBoss EAP (RHSA-2018:0480)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-1449.NASL
    description An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 6.4.20 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.19, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) (CVE-2017-15095) * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485) * slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088) * Apache ActiveMQ Artemis: Deserialization of untrusted input vulnerability (CVE-2016-4978) * solr: Directory traversal via Index Replication HTTP API (CVE-2017-3163) * tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources (CVE-2018-1304) * jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries (CVE-2018-7489) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-15095; 0c0c0f from 360Guan Xing Shi Yan Shi for reporting CVE-2017-17485; and Chris McCown for reporting CVE-2018-8088.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 109906
    published 2018-05-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109906
    title RHEL 6 : JBoss EAP (RHSA-2018:1449)
  • NASL family Misc.
    NASL id ORACLE_IDENTITY_MANAGEMENT_CPU_OCT_2018.NASL
    description The remote host is missing the October 2018 Critical Patch Update for Oracle Identity Manager. It is, therefore, affected by multiple vulnerabilities as described in the October 2018 critical patch update advisory : - An unspecified vulnerability in the Oracle Identity Management Suite in the Suite Level Patch Issues (Apache Log4j) subcomponent could allow an unauthenticated, remote attacker with network access via HTTP to compromise Oracle Identity Management Suite. (CVE-2017-5645) - An unspecified vulnerability in the Oracle Identity Manager component of Oracle Fusion Middleware in the Advanced Console subcomponent could allow an unauthenticated, remote attacker with network access via HTTP to compromise Oracle Identity Manager. (CVE-2018-3179) - An unspecified vulnerability in the Oracle Identity Manager component of Oracle Fusion Middleware in the Installer (jackson-databind) subcomponent could allow an unauthenticated, remote attacker with network access via HTTP to compromise Oracle Identity Manager. (CVE-2017-15095) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2018-12-13
    plugin id 118330
    published 2018-10-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118330
    title Oracle Identity Manager Multiple Vulnerabilities (October 2018 CPU)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-3189.NASL
    description An update for rh-eclipse47-jackson-databind is now available for Red Hat Developer Tools. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The jackson-databind package provides general data-binding functionality for Jackson, which works on top of Jackson core streaming API. Security Fix(es) : * A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously. (CVE-2017-15095) Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting this issue.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 104538
    published 2017-11-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104538
    title RHEL 7 : rh-eclipse47-jackson-databind (RHSA-2017:3189)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-0481.NASL
    description An update for eap7-jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 7.1.1 for Red Hat Enterprise Linux 6 and Red Hat JBoss Enterprise Application Platform 7.1.1 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The eap7-jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). With this update, the eap7-jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 7.1.1 Refer to the JBoss Enterprise Application Platform 7.1 Release Notes, linked to in the References section, for information on the most significant bug fixes and enhancements included in this release. Security Fix(es) : * artemis/hornetq: memory exhaustion via UDP and JGroups discovery (CVE-2017-12174) * infinispan: Unsafe deserialization of malicious object injected into data cache (CVE-2017-15089) * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) (CVE-2017-15095) * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485) * resteasy: Vary header not added by CORS filter leading to cache poisoning (CVE-2017-7561) * undertow: Client can use bogus uri in Digest authentication (CVE-2017-12196) * undertow: ALLOW_ENCODED_SLASH option not taken into account in the AjpRequestParser (CVE-2018-1048) * jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and CVE-2017-17485) (CVE-2018-5968) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 108325
    published 2018-03-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108325
    title RHEL 6 / 7 : JBoss EAP (RHSA-2018:0481)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-1451.NASL
    description An update for jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). With this update, the jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 6.4.19. Security Fix(es) : * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) (CVE-2017-15095) * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485) * slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088) * Apache ActiveMQ Artemis: Deserialization of untrusted input vulnerability (CVE-2016-4978) * solr: Directory traversal via Index Replication HTTP API (CVE-2017-3163) * tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources (CVE-2018-1304) * jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries (CVE-2018-7489) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-15095; 0c0c0f from 360Guan Xing Shi Yan Shi for reporting CVE-2017-17485; and Chris McCown for reporting CVE-2018-8088.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 109838
    published 2018-05-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109838
    title RHEL 6 : eap6-jboss-ec2-eap (RHSA-2018:1451)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-1448.NASL
    description An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 6.4.20 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.19, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) (CVE-2017-15095) * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485) * slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088) * Apache ActiveMQ Artemis: Deserialization of untrusted input vulnerability (CVE-2016-4978) * solr: Directory traversal via Index Replication HTTP API (CVE-2017-3163) * tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources (CVE-2018-1304) * jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries (CVE-2018-7489) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-15095; 0c0c0f from 360Guan Xing Shi Yan Shi for reporting CVE-2017-17485; and Chris McCown for reporting CVE-2018-8088.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 109905
    published 2018-05-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109905
    title RHEL 7 : JBoss EAP (RHSA-2018:1448)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-0342.NASL
    description An update for rh-maven35-jackson-databind is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The jackson-databind package provides general data-binding functionality for Jackson, which works on top of Jackson core streaming API. Security Fix(es) : * A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525) * Further classes that an attacker could use to achieve code execution through deserialisation were discovered, and added to the blacklist introduced by CVE-2017-7525. (CVE-2017-15095, CVE-2017-17485) Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525 and CVE-2017-15095 and 0c0c0f from 360Guan Xing Shi Yan Shi for reporting CVE-2017-17485.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 109428
    published 2018-04-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109428
    title RHEL 7 : rh-maven35-jackson-databind (RHSA-2018:0342)
  • NASL family Databases
    NASL id ORACLE_RDBMS_CPU_JUL_2018.NASL
    description The remote Oracle Database Server is missing the July 2018 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities: - An unspecified vulnerability in the Oracle Spatial (jackson-databind) component of Oracle Database Server allows an unauthenticated, remote attacker with network access via multiple protocols to compromise Oracle Spatial. (CVE-2017-15095) - An unspecified vulnerability in the Core RDBMS component of Oracle Database Server allows a low privileged attacker to inject or manipulate RDBMS data, resulting in compromise of Core RDBMS. (CVE-2018-2939) - An unspecified vulnerability in the Java VM component of Oracle Database Server allows a low privileged attacker with Create Session, Create Procedure privilege to compromise a Java VM. (CVE-2018-3004, CVE-2018-3110) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2018-12-21
    plugin id 111219
    published 2018-07-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111219
    title Oracle Database Server Multiple Vulnerabilities (July 2018 CPU)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-E16ED3F7A1.NASL
    description Security fix for CVE-2017-15095 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-03-19
    plugin id 104610
    published 2017-11-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104610
    title Fedora 26 : jackson-databind (2017-e16ed3f7a1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-4A071ECBC7.NASL
    description Security fix for CVE-2017-15095 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-03-19
    plugin id 105867
    published 2018-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105867
    title Fedora 27 : jackson-databind (2017-4a071ecbc7)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-4037.NASL
    description It was discovered that jackson-databind, a Java library used to parse JSON and other data formats, improperly validated user input prior to deserializing: following DSA-4004-1 for CVE-2017-7525, an additional set of classes was identified as unsafe for deserialization.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 104643
    published 2017-11-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104643
    title Debian DSA-4037-1 : jackson-databind - security update
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-0479.NASL
    description An update is now available for Red Hat JBoss Enterprise Application Platform 7.1 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 7.1.1 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.1.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * artemis/hornetq: memory exhaustion via UDP and JGroups discovery (CVE-2017-12174) * infinispan: Unsafe deserialization of malicious object injected into data cache (CVE-2017-15089) * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) (CVE-2017-15095) * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485) * resteasy: Vary header not added by CORS filter leading to cache poisoning (CVE-2017-7561) * undertow: Client can use bogus uri in Digest authentication (CVE-2017-12196) * undertow: ALLOW_ENCODED_SLASH option not taken into account in the AjpRequestParser (CVE-2018-1048) * jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and CVE-2017-17485) (CVE-2018-5968) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 108323
    published 2018-03-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108323
    title RHEL 6 : JBoss EAP (RHSA-2018:0479)
  • NASL family CGI abuses
    NASL id ORACLE_PRIMAVERA_UNIFIER_CPU_APR_2018.NASL
    description According to its self-reported version number, the Oracle Primavera Unifier installation running on the remote web server is 16.x prior to 16.2.12.3 or 17.x prior to 17.12.3.0. It is, therefore, affected by multiple vulnerabilities. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2018-07-26
    plugin id 109164
    published 2018-04-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109164
    title Oracle Primavera Unifier Multiple Vulnerabilities (April 2018 CPU)
redhat via4
advisories
  • rhsa
    id RHSA-2017:3189
  • rhsa
    id RHSA-2017:3190
  • rhsa
    id RHSA-2018:0342
  • rhsa
    id RHSA-2018:0478
  • rhsa
    id RHSA-2018:0479
  • rhsa
    id RHSA-2018:0480
  • rhsa
    id RHSA-2018:0481
  • rhsa
    id RHSA-2018:0576
  • rhsa
    id RHSA-2018:0577
  • rhsa
    id RHSA-2018:1447
  • rhsa
    id RHSA-2018:1448
  • rhsa
    id RHSA-2018:1449
  • rhsa
    id RHSA-2018:1450
  • rhsa
    id RHSA-2018:1451
  • rhsa
    id RHSA-2018:2927
refmap via4
bid 103880
confirm
debian DSA-4037
sectrack 1039769
Last major update 06-02-2018 - 10:29
Published 06-02-2018 - 10:29
Last modified 16-01-2019 - 14:29
Back to Top