Name | CVE-2017-15095 |
Description | A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | DLA-2091-1, DLA-2342-1, DSA-4037-1 |
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|---|---|---|
jackson-databind (PTS) | jessie, jessie (lts) | 2.4.2-2+deb8u17 | fixed |
stretch (security) | 2.8.6-1+deb9u10 | fixed | |
stretch (lts), stretch | 2.8.6-1+deb9u11 | fixed | |
buster (security), buster, buster (lts) | 2.9.8-3+deb10u5 | fixed | |
bullseye (security), bullseye | 2.12.1-1+deb11u1 | fixed | |
sid, trixie, bookworm | 2.14.0-1 | fixed | |
libjackson-json-java (PTS) | jessie, jessie (lts) | 1.9.2-3+deb8u1 | fixed |
stretch (security), stretch (lts), stretch | 1.9.2-8+deb9u1 | fixed | |
buster | 1.9.13-2~deb10u1 | fixed | |
sid, trixie, bullseye, bookworm | 1.9.13-2 | fixed |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|---|---|---|---|---|---|
jackson-databind | source | jessie | 2.4.2-2+deb8u2 | DSA-4037-1 | ||
jackson-databind | source | stretch | 2.8.6-1+deb9u2 | DSA-4037-1 | ||
jackson-databind | source | (unstable) | 2.9.1-1 | |||
libjackson-json-java | source | wheezy | (unfixed) | end-of-life | ||
libjackson-json-java | source | jessie | 1.9.2-3+deb8u1 | DLA-2091-1 | ||
libjackson-json-java | source | stretch | 1.9.2-8+deb9u1 | DLA-2342-1 | ||
libjackson-json-java | source | buster | 1.9.13-2~deb10u1 | |||
libjackson-json-java | source | (unstable) | 1.9.13-2 |
The Debian upload for stretch (2.8.6-1+deb9u1) and jessie (2.4.2-2+deb8u1)
misses the further sets of blacklists, in particular as well
https://github.com/FasterXML/jackson-databind/commit/3bfbb835
which was already for CVE-2017-7525 but then the further tickets and patches
to block more dangerous types (at leas they are):
https://github.com/FasterXML/jackson-databind/issues/1680
https://github.com/FasterXML/jackson-databind/issues/1723
https://github.com/FasterXML/jackson-databind/issues/1737
https://github.com/FasterXML/jackson-databind/commit/e8f043d1
https://github.com/FasterXML/jackson-databind/commit/ddfddfba
This CVE-2017-15095 should be considered to include everything in
NO_DESER_CLASS_NAMES as of:
https://github.com/FasterXML/jackson-databind/blob/7093008aa2afe8068e120df850189ae072dfa1b2/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java#L43
Details: https://www.openwall.com/lists/oss-security/2017/11/02/3
For libjackson-json-java:
https://github.com/FasterXML/jackson-1/commit/9ac68db819bce7b9546bc4bf1c44f82ca910fa31