CVE-2017-7525
CRITICALCVSS 9.8/10EPSS 37.92%
Last modified
CVE-2017-7525 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.. EPSS estimates a 37.92% chance of exploitation in the next 30 days.
Description
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Fasterxml | Jackson-Databind | < 2.6.7.1 | — |
| Fasterxml | Jackson-Databind | >= 2.7.0, < 2.7.9.1 | — |
| Fasterxml | Jackson-Databind | >= 2.8.0, < 2.8.9 | — |
| Fasterxml | Jackson-Databind | 2.9.0 | Prerelease1 |
| Debian | Debian Linux | 8.0 | — |
| Debian | Debian Linux | 9.0 | — |
| Netapp | Oncommand Balance | All versions | — |
| Netapp | Oncommand Performance Manager | All versions | — |
| Netapp | Oncommand Shift | All versions | — |
| Netapp | Snapcenter | All versions | — |
| Redhat | Openshift Container Platform | 4.1 | — |
| Redhat | Virtualization | 4.0 | — |
| Redhat | Virtualization Host | 4.0 | — |
| Redhat | Jboss Enterprise Application Platform | 6.0.0 | — |
| Redhat | Jboss Enterprise Application Platform | 6.4.0 | — |
| Redhat | Jboss Enterprise Application Platform | 7.0 | — |
| Redhat | Jboss Enterprise Application Platform | 7.1 | — |
| Redhat | Openshift Container Platform | 3.11 | — |
| Oracle | Banking Platform | 2.5.0 | — |
| Oracle | Banking Platform | 2.6.0 | — |
| Oracle | Banking Platform | 2.6.1 | — |
| Oracle | Banking Platform | 2.6.2 | — |
| Oracle | Communications Billing And Revenue Management | 7.5 | — |
| Oracle | Communications Billing And Revenue Management | 12.0 | — |
| Oracle | Communications Communications Policy Management | >= 12.0, <= 12.5.2 | — |
| Oracle | Communications Diameter Signaling Route | < 8.3 | — |
| Oracle | Communications Instant Messaging Server | 10.0.1 | — |
| Oracle | Communications Instant Messaging Server | 10.0.1.2.0 | — |
| Oracle | Enterprise Manager For Virtualization | 13.2.2 | — |
| Oracle | Enterprise Manager For Virtualization | 13.2.3 | — |
| Oracle | Enterprise Manager For Virtualization | 13.3.1 | — |
| Oracle | Financial Services Analytical Applications Infrastructure | 8.0.2.0.0 | — |
| Oracle | Financial Services Analytical Applications Infrastructure | 8.0.3.0.0 | — |
| Oracle | Financial Services Analytical Applications Infrastructure | 8.0.4.0.0 | — |
| Oracle | Financial Services Analytical Applications Infrastructure | 8.0.5.0.0 | — |
| Oracle | Financial Services Analytical Applications Infrastructure | 8.0.6.0.0 | — |
| Oracle | Financial Services Analytical Applications Infrastructure | 8.0.7.0.0 | — |
| Oracle | Global Lifecycle Management Opatchauto | < 12.2.0.1.14 | — |
| Oracle | Primavera Unifier | >= 17.1, <= 17.12 | — |
| Oracle | Primavera Unifier | 16.1 | — |
| Oracle | Primavera Unifier | 16.2 | — |
| Oracle | Primavera Unifier | 18.8 | — |
| Oracle | Utilities Advanced Spatial And Operational Analytics | 2.7.0.1 | — |
| Oracle | Webcenter Portal | 12.2.1.3.0 | — |
References
- http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlPatch, Third Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlPatch, Third Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlPatch, Third Party Advisory
- http://www.securityfocus.com/bid/99623Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1039744Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1039947Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1040360Third Party Advisory, VDB Entry
- https://access.redhat.com/errata/RHSA-2017:1834Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:1835Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:1836Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:1837Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:1839Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:1840Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:2477Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:2546Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:2547Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:2633Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:2635Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:2636Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:2637Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:2638Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:3141Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:3454Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:3455Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:3456Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:3458Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:0294Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:0342Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1449Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1450Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:0910Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:2858Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:3149Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1462702Issue Tracking, Third Party Advisory
- https://cwiki.apache.org/confluence/display/WW/S2-055Third Party Advisory
- https://github.com/FasterXML/jackson-databind/issues/1599Issue Tracking, Patch, Third Party Advisory
- https://github.com/FasterXML/jackson-databind/issues/1723Issue Tracking, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2020/01/msg00037.htmlMailing List, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2020/08/msg00039.htmlMailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20171214-0002/Third Party Advisory
- https://www.debian.org/security/2017/dsa-4004Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2020.htmlThird Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlPatch, Third Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlPatch, Third Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlPatch, Third Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlPatch, Third Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlPatch, Third Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlPatch, Third Party Advisory
- http://www.securityfocus.com/bid/99623Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1039744Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1039947Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1040360Third Party Advisory, VDB Entry
- https://access.redhat.com/errata/RHSA-2017:1834Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:1835Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:1836Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:1837Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:1839Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:1840Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:2477Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:2546Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:2547Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:2633Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:2635Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:2636Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:2637Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:2638Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:3141Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:3454Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:3455Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:3456Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:3458Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:0294Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:0342Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1449Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1450Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:0910Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:2858Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:3149Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1462702Issue Tracking, Third Party Advisory
- https://cwiki.apache.org/confluence/display/WW/S2-055Third Party Advisory
- https://github.com/FasterXML/jackson-databind/issues/1599Issue Tracking, Patch, Third Party Advisory
- https://github.com/FasterXML/jackson-databind/issues/1723Issue Tracking, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2020/01/msg00037.htmlMailing List, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2020/08/msg00039.htmlMailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20171214-0002/Third Party Advisory
- https://www.debian.org/security/2017/dsa-4004Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2020.htmlThird Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlPatch, Third Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlPatch, Third Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlPatch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2017-7525?
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
How severe is CVE-2017-7525?
CVE-2017-7525 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 37.92% probability of exploitation in the next 30 days.
How do I fix CVE-2017-7525?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2017-7525?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST