Critical Severity Vulnerability
This vulnerability has been rated as Critical severity. Immediate action is recommended.
CVE-2017-15095
Critical
Low
Medium
High
Critical
9.8
CVSS Score
Vulnerability Description
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
N
Attack Complexity
L
Privileges Required
N
User Interaction
N
Scope
U
Confidentiality
H
Integrity
H
Availability
H
Known Affected Software
41 configuration(s) from 5 vendor(s)
debian_linux
Version:
8.0
CPE:
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
debian_linux
Version:
9.0
CPE:
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
jackson-databind
Version:
2.9.0
CPE:
cpe:2.3:a:fasterxml:jackson-databind:2.9.0:-:*:*:*:*:*:*
snapcenter
Version:
-
CPE:
cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
oncommand_performance_manager
Version:
-
CPE:
cpe:2.3:a:netapp:oncommand_performance_manager:-:*:*:*:*:*:*:*
oncommand_balance
Version:
-
CPE:
cpe:2.3:a:netapp:oncommand_balance:-:*:*:*:*:*:*:*
oncommand_shift
Version:
-
CPE:
cpe:2.3:a:netapp:oncommand_shift:-:*:*:*:*:*:*:*
financial_services_analytical_applications_infrastructure
Version:
8.0.4
CPE:
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.4:*:*:*:*:*:*:*
communications_billing_and_revenue_management
Version:
7.5
CPE:
cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5:*:*:*:*:*:*:*
communications_instant_messaging_server
Version:
10.0.1.2.0
CPE:
cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.2.0:*:*:*:*:*:*:*
primavera_unifier
Version:
16.2
CPE:
cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
banking_platform
Version:
2.6.1
CPE:
cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:*
financial_services_analytical_applications_infrastructure
Version:
8.0.7
CPE:
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7:*:*:*:*:*:*:*
jd_edwards_enterpriseone_tools
Version:
9.2
CPE:
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
identity_manager
Version:
11.1.2.3.0
CPE:
cpe:2.3:a:oracle:identity_manager:11.1.2.3.0:*:*:*:*:*:*:*
database_server
Version:
12.2.0.1
CPE:
cpe:2.3:a:oracle:database_server:12.2.0.1:*:*:*:*:*:*:*
database_server
Version:
18.1
CPE:
cpe:2.3:a:oracle:database_server:18.1:*:*:*:*:*:*:*
enterprise_manager_for_virtualization
Version:
13.3.1
CPE:
cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.3.1:*:*:*:*:*:*:*
financial_services_analytical_applications_infrastructure
Version:
8.0.3
CPE:
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.3:*:*:*:*:*:*:*
financial_services_analytical_applications_infrastructure
Version:
8.0.6
CPE:
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6:*:*:*:*:*:*:*
enterprise_manager_for_virtualization
Version:
13.2.2
CPE:
cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.2.2:*:*:*:*:*:*:*
identity_manager
Version:
12.2.1.3.0
CPE:
cpe:2.3:a:oracle:identity_manager:12.2.1.3.0:*:*:*:*:*:*:*
utilities_advanced_spatial_and_operational_analytics
Version:
2.7.0.1
CPE:
cpe:2.3:a:oracle:utilities_advanced_spatial_and_operational_analytics:2.7.0.1:*:*:*:*:*:*:*
enterprise_manager_for_virtualization
Version:
13.2.3
CPE:
cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.2.3:*:*:*:*:*:*:*
clusterware
Version:
12.1.0.2.0
CPE:
cpe:2.3:a:oracle:clusterware:12.1.0.2.0:*:*:*:*:*:*:*
banking_platform
Version:
2.6.2
CPE:
cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*
financial_services_analytical_applications_infrastructure
Version:
8.0.2
CPE:
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.2:*:*:*:*:*:*:*
financial_services_analytical_applications_infrastructure
Version:
8.0.5
CPE:
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.5:*:*:*:*:*:*:*
webcenter_portal
Version:
12.2.1.3.0
CPE:
cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*
primavera_unifier
Version:
16.1
CPE:
cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
communications_billing_and_revenue_management
Version:
12.0
CPE:
cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0:*:*:*:*:*:*:*
banking_platform
Version:
2.6.0
CPE:
cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:*
banking_platform
Version:
2.5.0
CPE:
cpe:2.3:a:oracle:banking_platform:2.5.0:*:*:*:*:*:*:*
primavera_unifier
Version:
18.8
CPE:
cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
satellite_capsule
Version:
6.4
CPE:
cpe:2.3:a:redhat:satellite_capsule:6.4:*:*:*:*:*:*:*
openshift_container_platform
Version:
3.11
CPE:
cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:x86:*
jboss_enterprise_application_platform
Version:
7.1.0
CPE:
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.1.0:*:*:*:*:*:*:*
jboss_enterprise_application_platform
Version:
6.0.0
CPE:
cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:beta:*:*:*:*:*:*
openshift_container_platform
Version:
4.1
CPE:
cpe:2.3:a:redhat:openshift_container_platform:4.1:*:*:*:*:*:*:*
jboss_enterprise_application_platform
Version:
6.4.0
CPE:
cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4.0:*:*:*:*:*:*:*
satellite
Version:
6.4
CPE:
cpe:2.3:a:redhat:satellite:6.4:-:*:*:*:*:*:*
This vulnerability affects 41 software configuration(s). Ensure you patch all affected systems.
References & Resources
-
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlsecalert@redhat.com Patch Third Party Advisory
-
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlsecalert@redhat.com Patch Third Party Advisory
-
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlsecalert@redhat.com Patch Third Party Advisory
-
http://www.securityfocus.com/bid/103880secalert@redhat.com Third Party Advisory VDB Entry
-
http://www.securitytracker.com/id/1039769secalert@redhat.com Third Party Advisory VDB Entry
-
https://access.redhat.com/errata/RHSA-2017:3189secalert@redhat.com Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2017:3190secalert@redhat.com Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:0342secalert@redhat.com Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:0478secalert@redhat.com Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:0479secalert@redhat.com Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:0480secalert@redhat.com Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:0481secalert@redhat.com Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:0576secalert@redhat.com Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:0577secalert@redhat.com Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:1447secalert@redhat.com Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:1448secalert@redhat.com Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:1449secalert@redhat.com Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:1450secalert@redhat.com Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:1451secalert@redhat.com Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:2927secalert@redhat.com Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2858secalert@redhat.com Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:3149secalert@redhat.com Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:3892secalert@redhat.com Third Party Advisory
-
https://github.com/FasterXML/jackson-databind/issues/1680secalert@redhat.com Issue Tracking Third Party Advisory
-
https://github.com/FasterXML/jackson-databind/issues/1737secalert@redhat.com Issue Tracking Patch Third Party Advisory
-
https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629%40%3Csolr-user.lucene.apache.org%3Esecalert@redhat.com
-
https://lists.debian.org/debian-lts-announce/2020/01/msg00037.htmlsecalert@redhat.com Mailing List Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20171214-0003/secalert@redhat.com Third Party Advisory
-
https://www.debian.org/security/2017/dsa-4037secalert@redhat.com Third Party Advisory
-
https://www.oracle.com/security-alerts/cpuoct2020.htmlsecalert@redhat.com Third Party Advisory
-
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlsecalert@redhat.com Patch Third Party Advisory
-
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlsecalert@redhat.com Patch Third Party Advisory
-
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlaf854a3a-2127-422b-91ae-364da2661108 Patch Third Party Advisory
-
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlaf854a3a-2127-422b-91ae-364da2661108 Patch Third Party Advisory
-
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlaf854a3a-2127-422b-91ae-364da2661108 Patch Third Party Advisory
-
http://www.securityfocus.com/bid/103880af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory VDB Entry
-
http://www.securitytracker.com/id/1039769af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory VDB Entry
-
https://access.redhat.com/errata/RHSA-2017:3189af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2017:3190af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:0342af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:0478af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:0479af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:0480af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:0481af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:0576af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:0577af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:1447af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:1448af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:1449af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:1450af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:1451af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:2927af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2858af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:3149af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:3892af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
-
https://github.com/FasterXML/jackson-databind/issues/1680af854a3a-2127-422b-91ae-364da2661108 Issue Tracking Third Party Advisory
-
https://github.com/FasterXML/jackson-databind/issues/1737af854a3a-2127-422b-91ae-364da2661108 Issue Tracking Patch Third Party Advisory
-
https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629%40%3Csolr-user.lucene.apache.org%3Eaf854a3a-2127-422b-91ae-364da2661108
-
https://lists.debian.org/debian-lts-announce/2020/01/msg00037.htmlaf854a3a-2127-422b-91ae-364da2661108 Mailing List Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20171214-0003/af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
-
https://www.debian.org/security/2017/dsa-4037af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
-
https://www.oracle.com/security-alerts/cpuoct2020.htmlaf854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
-
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlaf854a3a-2127-422b-91ae-364da2661108 Patch Third Party Advisory
-
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlaf854a3a-2127-422b-91ae-364da2661108 Patch Third Party Advisory
Severity Details
9.8
out of 10.0
Critical
Weakness Type (CWE)
CWE-184
Incomplete List of Disallowed Inputs
- Description
- The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
- Typical Severity
- Medium
- Abstraction Level
- Base
Key Information
- Published Date
- February 06, 2018
