CVE-2017-17485

high-risk

Published 2018-01-10

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.

Do I need to act?

79.8% chance of exploitation in next 30 days

EPSS score — higher than 20% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Fix available

Upgrade to: ec1adf8c72625fd51b30105afad7464c4332d542, 9e170e1a28221cf273e8a63e01f1731a9fcd11bc, a6efd882b6df2f8fd1fc20dc24e938d24e91c4db, 8b1b40f3a8ab910a065d216e71cd40e7f0828415

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (12)

Jackson-Databind

Debian Linux

Jboss Enterprise Application Platform

Openshift Container Platform

E-Series Santricity Os Controller

E-Series Santricity Web Services Proxy

Oncommand Shift

Snapcenter

Affected Vendors

Debian Redhat Netapp Fasterxml

References (48)

Third Party Advisory http://www.securityfocus.com/archive/1/541652/100/0/threaded

Third Party Advisory https://access.redhat.com/errata/RHSA-2018:0116

Third Party Advisory https://access.redhat.com/errata/RHSA-2018:0342

Third Party Advisory https://access.redhat.com/errata/RHSA-2018:0478

Third Party Advisory https://access.redhat.com/errata/RHSA-2018:0479

Third Party Advisory https://access.redhat.com/errata/RHSA-2018:0480

Third Party Advisory https://access.redhat.com/errata/RHSA-2018:0481

Third Party Advisory https://access.redhat.com/errata/RHSA-2018:1447

Third Party Advisory https://access.redhat.com/errata/RHSA-2018:1448

Third Party Advisory https://access.redhat.com/errata/RHSA-2018:1449

Third Party Advisory https://access.redhat.com/errata/RHSA-2018:1450

Third Party Advisory https://access.redhat.com/errata/RHSA-2018:1451

Third Party Advisory https://access.redhat.com/errata/RHSA-2018:2930

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:1782

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:1797

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:2858

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:3149

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:3892

Third Party Advisory https://github.com/FasterXML/jackson-databind/issues/1855

Third Party Advisory https://github.com/irsl/jackson-rce-via-spel/

and 28 more references

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 20/34 · Moderate

Exposure 17/34 · Moderate