CA PPM: Jackson JSON Library vulnerabilities

Document ID : KB000110189
Last Modified Date : 10/08/2018
Show Technical Document Details
Issue:
Summary:

Jackson JSON vulnerabilities has been identified 

component_name = jackson-databind 
component_version = 2.6.2 

cve_number: CVE-2017-15095 
vulnerability_severity: High 
vulnerability_description: 
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously. 

cve_number: CVE-2017-7525 
vulnerability_severity: High 
vulnerability_description: 
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. 

cve_number: CVE-2018-7489 
vulnerability_severity: High 
vulnerability_description: 
FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
 
Cause:
Caused by DE38088 and DE43207
Resolution:
DE38088: Fix for "DE38088 Jackson JSON Library vulnerabilities" includes CVE-2017-15095 and CVE-2017-7525. Our upgrade was to the version 2.9.3

DE43207: Open. Defect is target for resolution in future release.