CVE-2017-15095

NameCVE-2017-15095
DescriptionA deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2091-1, DLA-2342-1, DSA-4037-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jackson-databind (PTS)buster2.9.8-3+deb10u3fixed
buster (security)2.9.8-3+deb10u5fixed
bullseye (security), bullseye2.12.1-1+deb11u1fixed
sid, trixie, bookworm2.14.0-1fixed
libjackson-json-java (PTS)buster1.9.13-2~deb10u1fixed
sid, trixie, bookworm, bullseye1.9.13-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jackson-databindsourcejessie2.4.2-2+deb8u2DSA-4037-1
jackson-databindsourcestretch2.8.6-1+deb9u2DSA-4037-1
jackson-databindsource(unstable)2.9.1-1
libjackson-json-javasourcejessie1.9.2-3+deb8u1DLA-2091-1
libjackson-json-javasourcestretch1.9.2-8+deb9u1DLA-2342-1
libjackson-json-javasourcebuster1.9.13-2~deb10u1
libjackson-json-javasource(unstable)1.9.13-2

Notes

The Debian upload for stretch (2.8.6-1+deb9u1) and jessie (2.4.2-2+deb8u1)
misses the further sets of blacklists, in particular as well
https://github.com/FasterXML/jackson-databind/commit/3bfbb835
which was already for CVE-2017-7525 but then the further tickets and patches
to block more dangerous types (at leas they are):
https://github.com/FasterXML/jackson-databind/issues/1680
https://github.com/FasterXML/jackson-databind/issues/1723
https://github.com/FasterXML/jackson-databind/issues/1737
https://github.com/FasterXML/jackson-databind/commit/e8f043d1
https://github.com/FasterXML/jackson-databind/commit/ddfddfba
This CVE-2017-15095 should be considered to include everything in
NO_DESER_CLASS_NAMES as of:
https://github.com/FasterXML/jackson-databind/blob/7093008aa2afe8068e120df850189ae072dfa1b2/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java#L43
Details: https://www.openwall.com/lists/oss-security/2017/11/02/3
For libjackson-json-java:
https://github.com/FasterXML/jackson-1/commit/9ac68db819bce7b9546bc4bf1c44f82ca910fa31

Search for package or bug name: Reporting problems