CVE-2017-15095
CRITICALCVSS 9.8/10EPSS 8.41%
Last modified
CVE-2017-15095 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.. EPSS estimates a 8.41% chance of exploitation in the next 30 days.
Description
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Fasterxml | Jackson-Databind | >= 2.0.0, < 2.6.7.2 |
| Fasterxml | Jackson-Databind | >= 2.7.0, < 2.7.9.2 |
| Fasterxml | Jackson-Databind | >= 2.8.0, < 2.8.10 |
| Fasterxml | Jackson-Databind | 2.9.0 |
| Debian | Debian Linux | 8.0 |
| Debian | Debian Linux | 9.0 |
| Redhat | Openshift Container Platform | 3.11 |
| Redhat | Satellite | 6.4 |
| Redhat | Satellite Capsule | 6.4 |
| Redhat | Openshift Container Platform | 4.1 |
| Redhat | Jboss Enterprise Application Platform | 6.0.0 |
| Redhat | Jboss Enterprise Application Platform | 6.4.0 |
| Redhat | Jboss Enterprise Application Platform | 7.1.0 |
| Netapp | Oncommand Balance | All versions |
| Netapp | Oncommand Performance Manager | All versions |
| Netapp | Oncommand Shift | All versions |
| Netapp | Snapcenter | All versions |
| Oracle | Banking Platform | 2.5.0 |
| Oracle | Banking Platform | 2.6.0 |
| Oracle | Banking Platform | 2.6.1 |
| Oracle | Banking Platform | 2.6.2 |
| Oracle | Clusterware | 12.1.0.2.0 |
| Oracle | Communications Billing And Revenue Management | 7.5 |
| Oracle | Communications Billing And Revenue Management | 12.0 |
| Oracle | Communications Diameter Signaling Router | < 8.3 |
| Oracle | Communications Instant Messaging Server | 10.0.1.2.0 |
| Oracle | Database Server | 12.2.0.1 |
| Oracle | Database Server | 18.1 |
| Oracle | Enterprise Manager For Virtualization | 13.2.2 |
| Oracle | Enterprise Manager For Virtualization | 13.2.3 |
| Oracle | Enterprise Manager For Virtualization | 13.3.1 |
| Oracle | Financial Services Analytical Applications Infrastructure | 8.0.2 |
| Oracle | Financial Services Analytical Applications Infrastructure | 8.0.3 |
| Oracle | Financial Services Analytical Applications Infrastructure | 8.0.4 |
| Oracle | Financial Services Analytical Applications Infrastructure | 8.0.5 |
| Oracle | Financial Services Analytical Applications Infrastructure | 8.0.6 |
| Oracle | Financial Services Analytical Applications Infrastructure | 8.0.7 |
| Oracle | Global Lifecycle Management Opatchauto | < 12.2.0.1.14 |
| Oracle | Identity Manager | 11.1.2.3.0 |
| Oracle | Identity Manager | 12.2.1.3.0 |
| Oracle | Jd Edwards Enterpriseone Tools | 9.2 |
| Oracle | Primavera Unifier | >= 17.1, <= 17.12 |
| Oracle | Primavera Unifier | 16.1 |
| Oracle | Primavera Unifier | 16.2 |
| Oracle | Primavera Unifier | 18.8 |
| Oracle | Utilities Advanced Spatial And Operational Analytics | 2.7.0.1 |
| Oracle | Webcenter Portal | 12.2.1.3.0 |
References
- http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlPatch, Third Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlPatch, Third Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlPatch, Third Party Advisory
- http://www.securityfocus.com/bid/103880Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1039769Third Party Advisory, VDB Entry
- https://access.redhat.com/errata/RHSA-2017:3189Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:3190Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:0342Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:0478Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:0479Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:0480Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:0481Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:0576Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:0577Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1447Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1448Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1449Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1450Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1451Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:2927Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:2858Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:3149Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:3892Third Party Advisory
- https://github.com/FasterXML/jackson-databind/issues/1680Issue Tracking, Third Party Advisory
- https://github.com/FasterXML/jackson-databind/issues/1737Issue Tracking, Patch, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2020/01/msg00037.htmlMailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20171214-0003/Third Party Advisory
- https://www.debian.org/security/2017/dsa-4037Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2020.htmlThird Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlPatch, Third Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlPatch, Third Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlPatch, Third Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlPatch, Third Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlPatch, Third Party Advisory
- http://www.securityfocus.com/bid/103880Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1039769Third Party Advisory, VDB Entry
- https://access.redhat.com/errata/RHSA-2017:3189Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:3190Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:0342Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:0478Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:0479Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:0480Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:0481Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:0576Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:0577Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1447Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1448Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1449Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1450Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1451Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:2927Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:2858Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:3149Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:3892Third Party Advisory
- https://github.com/FasterXML/jackson-databind/issues/1680Issue Tracking, Third Party Advisory
- https://github.com/FasterXML/jackson-databind/issues/1737Issue Tracking, Patch, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2020/01/msg00037.htmlMailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20171214-0003/Third Party Advisory
- https://www.debian.org/security/2017/dsa-4037Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2020.htmlThird Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlPatch, Third Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlPatch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2017-15095?
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
How severe is CVE-2017-15095?
CVE-2017-15095 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 8.41% probability of exploitation in the next 30 days.
How do I fix CVE-2017-15095?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2017-15095?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST