CVE-2017-15095

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 91%
VendorProductVersion
fasterxmljackson-databind
2.0.0 ≤
𝑥
< 2.6.7.2
fasterxmljackson-databind
2.7.0 ≤
𝑥
< 2.7.9.2
fasterxmljackson-databind
2.8.0 ≤
𝑥
< 2.8.10
fasterxmljackson-databind
2.9.0
fasterxmljackson-databind
2.9.0:prerelease1
fasterxmljackson-databind
2.9.0:prerelease2
fasterxmljackson-databind
2.9.0:prerelease3
fasterxmljackson-databind
2.9.0:prerelease4
debiandebian_linux
8.0
debiandebian_linux
9.0
redhatopenshift_container_platform
3.11
redhatsatellite
6.4
redhatsatellite_capsule
6.4
redhatopenshift_container_platform
4.1
redhatjboss_enterprise_application_platform
6.0.0
redhatjboss_enterprise_application_platform
6.4.0
redhatjboss_enterprise_application_platform
7.1.0
netapponcommand_balance
-
netapponcommand_performance_manager
-
netapponcommand_performance_manager
-
netapponcommand_shift
-
netappsnapcenter
-
oraclebanking_platform
2.5.0
oraclebanking_platform
2.6.0
oraclebanking_platform
2.6.1
oraclebanking_platform
2.6.2
oracleclusterware
12.1.0.2.0
oraclecommunications_billing_and_revenue_management
7.5
oraclecommunications_billing_and_revenue_management
12.0
oraclecommunications_diameter_signaling_router
𝑥
< 8.3
oraclecommunications_instant_messaging_server
10.0.1.2.0
oracledatabase_server
12.2.0.1
oracledatabase_server
18.1
oracleenterprise_manager_for_virtualization
13.2.2
oracleenterprise_manager_for_virtualization
13.2.3
oracleenterprise_manager_for_virtualization
13.3.1
oraclefinancial_services_analytical_applications_infrastructure
8.0.2
oraclefinancial_services_analytical_applications_infrastructure
8.0.3
oraclefinancial_services_analytical_applications_infrastructure
8.0.4
oraclefinancial_services_analytical_applications_infrastructure
8.0.5
oraclefinancial_services_analytical_applications_infrastructure
8.0.6
oraclefinancial_services_analytical_applications_infrastructure
8.0.7
oracleglobal_lifecycle_management_opatchauto
𝑥
< 12.2.0.1.14
oracleidentity_manager
11.1.2.3.0
oracleidentity_manager
12.2.1.3.0
oraclejd_edwards_enterpriseone_tools
9.2
oracleprimavera_unifier
17.1 ≤
𝑥
≤ 17.12
oracleprimavera_unifier
16.1
oracleprimavera_unifier
16.2
oracleprimavera_unifier
18.8
oracleutilities_advanced_spatial_and_operational_analytics
2.7.0.1
oraclewebcenter_portal
12.2.1.3.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
jackson-databind
bullseye (security)
2.12.1-1+deb11u1
fixed
bullseye
2.12.1-1+deb11u1
fixed
sid
2.14.0-1
fixed
trixie
2.14.0-1
fixed
bookworm
2.14.0-1
fixed
libjackson-json-java
sid
1.9.13-2
fixed
trixie
1.9.13-2
fixed
bookworm
1.9.13-2
fixed
bullseye
1.9.13-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
jackson-databind
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
not-affected
jammy
not-affected
impish
not-affected
hirsute
not-affected
groovy
not-affected
focal
not-affected
eoan
not-affected
disco
not-affected
cosmic
not-affected
bionic
not-affected
artful
Fixed 2.8.6-1+deb9u2build0.17.10.1
released
zesty
Fixed 2.8.6-1+deb9u2build0.17.04.1
released
xenial
Fixed 2.4.2-3ubuntu0.1~esm1
released
trusty
Fixed 2.2.2-1ubuntu0.1~esm1
released
libjackson-json-java
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
not-affected
jammy
not-affected
impish
not-affected
hirsute
not-affected
groovy
ignored
focal
needs-triage
bionic
needs-triage
xenial
Fixed 1.9.2-7ubuntu0.2
released
trusty
Fixed 1.9.2-3+deb8u1build0.14.04.1~esm1
released
Common Weakness Enumeration
References
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
http://www.securityfocus.com/bid/103880
http://www.securitytracker.com/id/1039769
https://access.redhat.com/errata/RHSA-2017:3189
https://access.redhat.com/errata/RHSA-2017:3190
https://access.redhat.com/errata/RHSA-2018:0342
https://access.redhat.com/errata/RHSA-2018:0478
https://access.redhat.com/errata/RHSA-2018:0479
https://access.redhat.com/errata/RHSA-2018:0480
https://access.redhat.com/errata/RHSA-2018:0481
https://access.redhat.com/errata/RHSA-2018:0576
https://access.redhat.com/errata/RHSA-2018:0577
https://access.redhat.com/errata/RHSA-2018:1447
https://access.redhat.com/errata/RHSA-2018:1448
https://access.redhat.com/errata/RHSA-2018:1449
https://access.redhat.com/errata/RHSA-2018:1450
https://access.redhat.com/errata/RHSA-2018:1451
https://access.redhat.com/errata/RHSA-2018:2927
https://access.redhat.com/errata/RHSA-2019:2858
https://access.redhat.com/errata/RHSA-2019:3149
https://access.redhat.com/errata/RHSA-2019:3892
https://github.com/FasterXML/jackson-databind/issues/1680
https://github.com/FasterXML/jackson-databind/issues/1737
https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629%40%3Csolr-user.lucene.apache.org%3E
https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html
https://security.netapp.com/advisory/ntap-20171214-0003/
https://www.debian.org/security/2017/dsa-4037
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
http://www.securityfocus.com/bid/103880
http://www.securitytracker.com/id/1039769
https://access.redhat.com/errata/RHSA-2017:3189
https://access.redhat.com/errata/RHSA-2017:3190
https://access.redhat.com/errata/RHSA-2018:0342
https://access.redhat.com/errata/RHSA-2018:0478
https://access.redhat.com/errata/RHSA-2018:0479
https://access.redhat.com/errata/RHSA-2018:0480
https://access.redhat.com/errata/RHSA-2018:0481
https://access.redhat.com/errata/RHSA-2018:0576
https://access.redhat.com/errata/RHSA-2018:0577
https://access.redhat.com/errata/RHSA-2018:1447
https://access.redhat.com/errata/RHSA-2018:1448
https://access.redhat.com/errata/RHSA-2018:1449
https://access.redhat.com/errata/RHSA-2018:1450
https://access.redhat.com/errata/RHSA-2018:1451
https://access.redhat.com/errata/RHSA-2018:2927
https://access.redhat.com/errata/RHSA-2019:2858
https://access.redhat.com/errata/RHSA-2019:3149
https://access.redhat.com/errata/RHSA-2019:3892
https://github.com/FasterXML/jackson-databind/issues/1680
https://github.com/FasterXML/jackson-databind/issues/1737
https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629%40%3Csolr-user.lucene.apache.org%3E
https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html
https://security.netapp.com/advisory/ntap-20171214-0003/
https://www.debian.org/security/2017/dsa-4037
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html