First published: Thu Jan 18 2018(Updated: )
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/eap7-activemq-artemis | <0:1.5.5.009-1.redhat_1.1.ep7.el6 | 0:1.5.5.009-1.redhat_1.1.ep7.el6 |
redhat/eap7-apache-cxf | <0:3.1.13-1.redhat_1.1.ep7.el6 | 0:3.1.13-1.redhat_1.1.ep7.el6 |
redhat/eap7-glassfish-jsf | <0:2.2.13-6.SP5_redhat_1.1.ep7.el6 | 0:2.2.13-6.SP5_redhat_1.1.ep7.el6 |
redhat/eap7-hibernate | <0:5.1.12-1.Final_redhat_1.1.ep7.el6 | 0:5.1.12-1.Final_redhat_1.1.ep7.el6 |
redhat/eap7-infinispan | <0:8.2.9-1.Final_redhat_1.1.ep7.el6 | 0:8.2.9-1.Final_redhat_1.1.ep7.el6 |
redhat/eap7-ironjacamar | <0:1.4.7-1.Final_redhat_1.1.ep7.el6 | 0:1.4.7-1.Final_redhat_1.1.ep7.el6 |
redhat/eap7-jackson-annotations | <0:2.8.11-1.redhat_1.1.ep7.el6 | 0:2.8.11-1.redhat_1.1.ep7.el6 |
redhat/eap7-jackson-core | <0:2.8.11-1.redhat_1.1.ep7.el6 | 0:2.8.11-1.redhat_1.1.ep7.el6 |
redhat/eap7-jackson-databind | <0:2.8.11-1.redhat_1.1.ep7.el6 | 0:2.8.11-1.redhat_1.1.ep7.el6 |
redhat/eap7-jackson-jaxrs-providers | <0:2.8.11-1.redhat_1.1.ep7.el6 | 0:2.8.11-1.redhat_1.1.ep7.el6 |
redhat/eap7-jackson-module-jaxb-annotations | <0:2.8.11-1.redhat_1.1.ep7.el6 | 0:2.8.11-1.redhat_1.1.ep7.el6 |
redhat/eap7-jackson-modules-java8 | <0:2.8.11-1.redhat_1.1.ep7.el6 | 0:2.8.11-1.redhat_1.1.ep7.el6 |
redhat/eap7-jboss-logmanager | <0:2.0.8-1.Final_redhat_1.1.ep7.el6 | 0:2.0.8-1.Final_redhat_1.1.ep7.el6 |
redhat/eap7-jboss-server-migration | <0:1.0.3-6.Final_redhat_6.1.ep7.el6 | 0:1.0.3-6.Final_redhat_6.1.ep7.el6 |
redhat/eap7-jbossws-cxf | <0:5.1.10-1.Final_redhat_1.1.ep7.el6 | 0:5.1.10-1.Final_redhat_1.1.ep7.el6 |
redhat/eap7-narayana | <0:5.5.31-1.Final_redhat_1.1.ep7.el6 | 0:5.5.31-1.Final_redhat_1.1.ep7.el6 |
redhat/eap7-picketlink-bindings | <0:2.5.5-10.SP9_redhat_1.1.ep7.el6 | 0:2.5.5-10.SP9_redhat_1.1.ep7.el6 |
redhat/eap7-picketlink-federation | <0:2.5.5-10.SP9_redhat_1.1.ep7.el6 | 0:2.5.5-10.SP9_redhat_1.1.ep7.el6 |
redhat/eap7-resteasy | <0:3.0.25-1.Final_redhat_1.1.ep7.el6 | 0:3.0.25-1.Final_redhat_1.1.ep7.el6 |
redhat/eap7-undertow | <0:1.4.18-4.SP2_redhat_1.1.ep7.el6 | 0:1.4.18-4.SP2_redhat_1.1.ep7.el6 |
redhat/eap7-undertow-jastow | <0:2.0.3-1.Final_redhat_1.1.ep7.el6 | 0:2.0.3-1.Final_redhat_1.1.ep7.el6 |
redhat/eap7-wildfly | <0:7.1.1-4.GA_redhat_2.1.ep7.el6 | 0:7.1.1-4.GA_redhat_2.1.ep7.el6 |
redhat/eap7-wildfly-elytron | <0:1.1.8-1.Final_redhat_1.1.ep7.el6 | 0:1.1.8-1.Final_redhat_1.1.ep7.el6 |
redhat/eap7-wildfly-http-client | <0:1.0.9-1.Final_redhat_1.1.ep7.el6 | 0:1.0.9-1.Final_redhat_1.1.ep7.el6 |
redhat/eap7-wildfly-javadocs | <0:7.1.1-3.GA_redhat_2.1.ep7.el6 | 0:7.1.1-3.GA_redhat_2.1.ep7.el6 |
redhat/eap7-wss4j | <0:2.1.11-1.redhat_1.1.ep7.el6 | 0:2.1.11-1.redhat_1.1.ep7.el6 |
redhat/eap7-xml-security | <0:2.0.9-1.redhat_1.1.ep7.el6 | 0:2.0.9-1.redhat_1.1.ep7.el6 |
redhat/eap7-jboss-ec2-eap | <0:7.1.1-3.1.GA_redhat_3.ep7.el6 | 0:7.1.1-3.1.GA_redhat_3.ep7.el6 |
redhat/eap7-activemq-artemis | <0:1.5.5.009-1.redhat_1.1.ep7.el7 | 0:1.5.5.009-1.redhat_1.1.ep7.el7 |
redhat/eap7-apache-cxf | <0:3.1.13-1.redhat_1.1.ep7.el7 | 0:3.1.13-1.redhat_1.1.ep7.el7 |
redhat/eap7-glassfish-jsf | <0:2.2.13-6.SP5_redhat_1.1.ep7.el7 | 0:2.2.13-6.SP5_redhat_1.1.ep7.el7 |
redhat/eap7-hibernate | <0:5.1.12-1.Final_redhat_1.1.ep7.el7 | 0:5.1.12-1.Final_redhat_1.1.ep7.el7 |
redhat/eap7-infinispan | <0:8.2.9-1.Final_redhat_1.1.ep7.el7 | 0:8.2.9-1.Final_redhat_1.1.ep7.el7 |
redhat/eap7-ironjacamar | <0:1.4.7-1.Final_redhat_1.1.ep7.el7 | 0:1.4.7-1.Final_redhat_1.1.ep7.el7 |
redhat/eap7-jackson-annotations | <0:2.8.11-1.redhat_1.1.ep7.el7 | 0:2.8.11-1.redhat_1.1.ep7.el7 |
redhat/eap7-jackson-core | <0:2.8.11-1.redhat_1.1.ep7.el7 | 0:2.8.11-1.redhat_1.1.ep7.el7 |
redhat/eap7-jackson-databind | <0:2.8.11-1.redhat_1.1.ep7.el7 | 0:2.8.11-1.redhat_1.1.ep7.el7 |
redhat/eap7-jackson-jaxrs-providers | <0:2.8.11-1.redhat_1.1.ep7.el7 | 0:2.8.11-1.redhat_1.1.ep7.el7 |
redhat/eap7-jackson-module-jaxb-annotations | <0:2.8.11-1.redhat_1.1.ep7.el7 | 0:2.8.11-1.redhat_1.1.ep7.el7 |
redhat/eap7-jackson-modules-java8 | <0:2.8.11-1.redhat_1.1.ep7.el7 | 0:2.8.11-1.redhat_1.1.ep7.el7 |
redhat/eap7-jboss-logmanager | <0:2.0.8-1.Final_redhat_1.1.ep7.el7 | 0:2.0.8-1.Final_redhat_1.1.ep7.el7 |
redhat/eap7-jboss-server-migration | <0:1.0.3-6.Final_redhat_6.1.ep7.el7 | 0:1.0.3-6.Final_redhat_6.1.ep7.el7 |
redhat/eap7-jbossws-cxf | <0:5.1.10-1.Final_redhat_1.1.ep7.el7 | 0:5.1.10-1.Final_redhat_1.1.ep7.el7 |
redhat/eap7-narayana | <0:5.5.31-1.Final_redhat_1.1.ep7.el7 | 0:5.5.31-1.Final_redhat_1.1.ep7.el7 |
redhat/eap7-picketlink-bindings | <0:2.5.5-10.SP9_redhat_1.1.ep7.el7 | 0:2.5.5-10.SP9_redhat_1.1.ep7.el7 |
redhat/eap7-picketlink-federation | <0:2.5.5-10.SP9_redhat_1.1.ep7.el7 | 0:2.5.5-10.SP9_redhat_1.1.ep7.el7 |
redhat/eap7-resteasy | <0:3.0.25-1.Final_redhat_1.1.ep7.el7 | 0:3.0.25-1.Final_redhat_1.1.ep7.el7 |
redhat/eap7-undertow | <0:1.4.18-4.SP2_redhat_1.1.ep7.el7 | 0:1.4.18-4.SP2_redhat_1.1.ep7.el7 |
redhat/eap7-undertow-jastow | <0:2.0.3-1.Final_redhat_1.1.ep7.el7 | 0:2.0.3-1.Final_redhat_1.1.ep7.el7 |
redhat/eap7-wildfly | <0:7.1.1-4.GA_redhat_2.1.ep7.el7 | 0:7.1.1-4.GA_redhat_2.1.ep7.el7 |
redhat/eap7-wildfly-elytron | <0:1.1.8-1.Final_redhat_1.1.ep7.el7 | 0:1.1.8-1.Final_redhat_1.1.ep7.el7 |
redhat/eap7-wildfly-http-client | <0:1.0.9-1.Final_redhat_1.1.ep7.el7 | 0:1.0.9-1.Final_redhat_1.1.ep7.el7 |
redhat/eap7-wildfly-javadocs | <0:7.1.1-3.GA_redhat_2.1.ep7.el7 | 0:7.1.1-3.GA_redhat_2.1.ep7.el7 |
redhat/eap7-wss4j | <0:2.1.11-1.redhat_1.1.ep7.el7 | 0:2.1.11-1.redhat_1.1.ep7.el7 |
redhat/eap7-xml-security | <0:2.0.9-1.redhat_1.1.ep7.el7 | 0:2.0.9-1.redhat_1.1.ep7.el7 |
redhat/eap7-jboss-ec2-eap | <0:7.1.1-3.1.GA_redhat_3.ep7.el7 | 0:7.1.1-3.1.GA_redhat_3.ep7.el7 |
debian/jackson-databind | <=2.9.1-1<=2.8.6-1+deb9u2<=2.4.2-2+deb8u2 | 2.9.4-1 2.8.6-1+deb9u3 2.4.2-2+deb8u3 |
FasterXML jackson-databind | >=2.0.0<2.6.7.3 | |
FasterXML jackson-databind | >=2.7.0<2.7.9.2 | |
FasterXML jackson-databind | >=2.8.0<2.8.11.1 | |
FasterXML jackson-databind | >=2.9.0<2.9.4 | |
Debian Debian Linux | =8.0 | |
Debian Debian Linux | =9.0 | |
Redhat Openshift Container Platform | =4.1 | |
Redhat Virtualization | =4.0 | |
Redhat Virtualization Host | =4.0 | |
Redhat Enterprise Linux Server | =7.0 | |
Redhat Jboss Enterprise Application Platform | =7.1 | |
Redhat Enterprise Linux Server | =6.0 | |
Redhat Openshift Container Platform | =3.11 | |
NetApp E-Series SANtricity OS Controller | >=11.0.0<=11.60.3 | |
Netapp E-series Santricity Web Services Proxy | ||
Netapp Oncommand Shift | ||
debian/jackson-databind | 2.9.8-3+deb10u3 2.9.8-3+deb10u5 2.12.1-1+deb11u1 2.14.0-1 | |
IBM GDE | <=3.0.0.2 | |
redhat/jackson-databind | <2.9.4 | 2.9.4 |
maven/com.fasterxml.jackson.core:jackson-databind | <2.7.9.5 | 2.7.9.5 |
maven/com.fasterxml.jackson.core:jackson-databind | >=2.8.0<2.8.11 | 2.8.11.1 |
maven/com.fasterxml.jackson.core:jackson-databind | >=2.9.0<2.9.4 | 2.9.4 |
All of | ||
Any of | ||
Redhat Openshift Container Platform | =4.1 | |
Redhat Virtualization | =4.0 | |
Redhat Virtualization Host | =4.0 | |
Redhat Enterprise Linux Server | =7.0 | |
All of | ||
Redhat Jboss Enterprise Application Platform | =7.1 | |
Any of | ||
Redhat Enterprise Linux Server | =6.0 | |
Redhat Enterprise Linux Server | =7.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)