CVE-2017-15095

NameCVE-2017-15095
DescriptionA deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2091-1, DLA-2342-1, DSA-4037-1
NVD severityhigh

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jackson-databind (PTS)stretch2.8.6-1+deb9u7fixed
stretch (security)2.8.6-1+deb9u6fixed
buster2.9.8-3+deb10u2fixed
buster (security)2.9.8-3+deb10u1fixed
bullseye, sid2.11.1-1fixed
libjackson-json-java (PTS)stretch1.9.2-8vulnerable
stretch (security)1.9.2-8+deb9u1fixed
buster1.9.13-1vulnerable
bullseye, sid1.9.13-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jackson-databindsourcejessie2.4.2-2+deb8u2DSA-4037-1
jackson-databindsourcestretch2.8.6-1+deb9u2DSA-4037-1
jackson-databindsource(unstable)2.9.1-1
libjackson-json-javasourcejessie1.9.2-3+deb8u1DLA-2091-1
libjackson-json-javasourcestretch1.9.2-8+deb9u1DLA-2342-1
libjackson-json-javasource(unstable)1.9.13-2

Notes

The Debian upload for stretch (2.8.6-1+deb9u1) and jessie (2.4.2-2+deb8u1)
misses the further sets of blacklists, in particular as well
https://github.com/FasterXML/jackson-databind/commit/3bfbb835
which was already for CVE-2017-7525 but then the further tickets and patches
to block more dangerous types (at leas they are):
https://github.com/FasterXML/jackson-databind/issues/1680
https://github.com/FasterXML/jackson-databind/issues/1723
https://github.com/FasterXML/jackson-databind/issues/1737
https://github.com/FasterXML/jackson-databind/commit/e8f043d1
https://github.com/FasterXML/jackson-databind/commit/ddfddfba
This CVE-2017-15095 should be considered to include everything in
NO_DESER_CLASS_NAMES as of:
https://github.com/FasterXML/jackson-databind/blob/7093008aa2afe8068e120df850189ae072dfa1b2/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java#L43
Details: https://www.openwall.com/lists/oss-security/2017/11/02/3
For libjackson-json-java:
https://github.com/FasterXML/jackson-1/commit/9ac68db819bce7b9546bc4bf1c44f82ca910fa31

Search for package or bug name: Reporting problems