CVE-2017-15095

NameCVE-2017-15095
DescriptionA deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-4037-1
NVD severityhigh (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jackson-databind (PTS)jessie2.4.2-2+deb8u4fixed
jessie (security)2.4.2-2+deb8u6fixed
stretch2.8.6-1+deb9u4fixed
stretch (security)2.8.6-1+deb9u5fixed
buster, sid2.9.8-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jackson-databindsource(unstable)2.9.1-1high
jackson-databindsourcejessie2.4.2-2+deb8u2highDSA-4037-1
jackson-databindsourcestretch2.8.6-1+deb9u2highDSA-4037-1

Notes

The Debian upload for stretch (2.8.6-1+deb9u1) and jessie (2.4.2-2+deb8u1)
misses the further sets of blacklists, in particular as well
https://github.com/FasterXML/jackson-databind/commit/3bfbb835
which was already for CVE-2017-7525 but then the further tickets and patches
to block more dangerous types (at leas they are):
https://github.com/FasterXML/jackson-databind/issues/1680
https://github.com/FasterXML/jackson-databind/issues/1723
https://github.com/FasterXML/jackson-databind/issues/1737
https://github.com/FasterXML/jackson-databind/commit/e8f043d1
https://github.com/FasterXML/jackson-databind/commit/ddfddfba
This CVE-2017-15095 should be considered to include everything in
NO_DESER_CLASS_NAMES as of:
https://github.com/FasterXML/jackson-databind/blob/7093008aa2afe8068e120df850189ae072dfa1b2/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java#L43
Details: http://www.openwall.com/lists/oss-security/2017/11/02/3

Search for package or bug name: Reporting problems