CVE-2017-15095 : A deserialization flaw was discovered in the jackson-databind in versions before

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

Published 2018-02-06 15:29:00

Updated 2023-09-13 14:23:12

Source Red Hat, Inc.

View at NVD, CVE.org

Products affected by CVE-2017-15095

Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform » Version: 6.0.0
cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:*:*:*:*:*:*:*
Matching versions
When used together with: Redhat » Enterprise Linux » Version: 5.0
When used together with: Redhat » Enterprise Linux » Version: 6.0
When used together with: Redhat » Enterprise Linux » Version: 7.0
Redhat » Jboss Enterprise Application Platform » Version: 6.4.0
cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4.0:*:*:*:*:*:*:*
Matching versions
When used together with: Redhat » Enterprise Linux » Version: 5.0
When used together with: Redhat » Enterprise Linux » Version: 6.0
When used together with: Redhat » Enterprise Linux » Version: 7.0
Redhat » Jboss Enterprise Application Platform » Version: 7.1.0
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.1.0:*:*:*:*:*:*:*
Matching versions
When used together with: Redhat » Enterprise Linux » Version: 6.0
When used together with: Redhat » Enterprise Linux » Version: 7.0
Redhat » Satellite » Version: 6.4
cpe:2.3:a:redhat:satellite:6.4:*:*:*:*:*:*:*
Matching versions
Redhat » Openshift Container Platform » Version: 4.1
cpe:2.3:a:redhat:openshift_container_platform:4.1:*:*:*:*:*:*:*
Matching versions
When used together with: Redhat » Enterprise Linux » Version: 7.0
Redhat » Openshift Container Platform » Version: 3.11
cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*
Matching versions
Redhat » Satellite Capsule » Version: 6.4
cpe:2.3:a:redhat:satellite_capsule:6.4:*:*:*:*:*:*:*
Matching versions
Oracle » Database Server » Version: 12.2.0.1
cpe:2.3:a:oracle:database_server:12.2.0.1:*:*:*:*:*:*:*
Matching versions
Oracle » Database Server » Version: 18.1
cpe:2.3:a:oracle:database_server:18.1:*:*:*:*:*:*:*
Matching versions
Oracle » Jd Edwards Enterpriseone Tools » Version: 9.2
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
Matching versions
Oracle » Identity Manager » Version: 11.1.2.3.0
cpe:2.3:a:oracle:identity_manager:11.1.2.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Identity Manager » Version: 12.2.1.3.0
cpe:2.3:a:oracle:identity_manager:12.2.1.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Platform » Version: 2.6.0
cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Platform » Version: 2.6.1
cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Platform » Version: 2.6.2
cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Platform » Version: 2.5.0
cpe:2.3:a:oracle:banking_platform:2.5.0:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera Unifier
Versions from including (>=) 17.1 and up to, including, (<=) 17.12
cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera Unifier » Version: 18.8
cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera Unifier » Version: 16.1
cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera Unifier » Version: 16.2
cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
Matching versions
Oracle » Webcenter Portal » Version: 12.2.1.3.0
cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Financial Services Analytical Applications Infrastructure » Version: 8.0.2
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.2:*:*:*:*:*:*:*
Matching versions
Oracle » Financial Services Analytical Applications Infrastructure » Version: 8.0.3
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.3:*:*:*:*:*:*:*
Matching versions
Oracle » Financial Services Analytical Applications Infrastructure » Version: 8.0.4
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.4:*:*:*:*:*:*:*
Matching versions
Oracle » Financial Services Analytical Applications Infrastructure » Version: 8.0.5
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.5:*:*:*:*:*:*:*
Matching versions
Oracle » Financial Services Analytical Applications Infrastructure » Version: 8.0.6
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6:*:*:*:*:*:*:*
Matching versions
Oracle » Financial Services Analytical Applications Infrastructure » Version: 8.0.7
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Diameter Signaling Router
Versions before (<) 8.3
cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Billing And Revenue Management » Version: 7.5
cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Billing And Revenue Management » Version: 12.0
cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0:*:*:*:*:*:*:*
Matching versions
Oracle » Enterprise Manager For Virtualization » Version: 13.2.2
cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.2.2:*:*:*:*:*:*:*
Matching versions
Oracle » Enterprise Manager For Virtualization » Version: 13.2.3
cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.2.3:*:*:*:*:*:*:*
Matching versions
Oracle » Enterprise Manager For Virtualization » Version: 13.3.1
cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.3.1:*:*:*:*:*:*:*
Matching versions
Oracle » Global Lifecycle Management Opatchauto
Versions before (<) 12.2.0.1.14
cpe:2.3:a:oracle:global_lifecycle_management_opatchauto:*:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Instant Messaging Server » Version: 10.0.1.2.0
cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.2.0:*:*:*:*:*:*:*
Matching versions
Oracle » Clusterware » Version: 12.1.0.2.0
cpe:2.3:a:oracle:clusterware:12.1.0.2.0:*:*:*:*:*:*:*
Matching versions
Oracle » Utilities Advanced Spatial And Operational Analytics » Version: 2.7.0.1
cpe:2.3:a:oracle:utilities_advanced_spatial_and_operational_analytics:2.7.0.1:*:*:*:*:*:*:*
Matching versions
Netapp » Oncommand Balance » Version: N/A
cpe:2.3:a:netapp:oncommand_balance:-:*:*:*:*:*:*:*
Matching versions
Netapp » Snapcenter » Version: N/A
cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
Matching versions
Netapp » Oncommand Performance Manager » Version: N/A For Linux
cpe:2.3:a:netapp:oncommand_performance_manager:-:*:*:*:*:linux:*:*
Matching versions
Netapp » Oncommand Performance Manager » Version: N/A For Vmware Vsphere
cpe:2.3:a:netapp:oncommand_performance_manager:-:*:*:*:*:vmware_vsphere:*:*
Matching versions
Netapp » Oncommand Shift » Version: N/A
cpe:2.3:a:netapp:oncommand_shift:-:*:*:*:*:*:*:*
Matching versions
Fasterxml » Jackson-databind
Versions from including (>=) 2.8.0 and before (<) 2.8.10
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
Matching versions
Fasterxml » Jackson-databind
Versions from including (>=) 2.7.0 and before (<) 2.7.9.2
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
Matching versions
Fasterxml » Jackson-databind
Versions from including (>=) 2.0.0 and before (<) 2.6.7.2
cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
Matching versions
Fasterxml » Jackson-databind » Version: 2.9.0
cpe:2.3:a:fasterxml:jackson-databind:2.9.0:-:*:*:*:*:*:*
Matching versions
Fasterxml » Jackson-databind » Version: 2.9.0 Update Prerelease1
cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease1:*:*:*:*:*:*
Matching versions
Fasterxml » Jackson-databind » Version: 2.9.0 Update Prerelease2
cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease2:*:*:*:*:*:*
Matching versions
Fasterxml » Jackson-databind » Version: 2.9.0 Update Prerelease3
cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease3:*:*:*:*:*:*
Matching versions
Fasterxml » Jackson-databind » Version: 2.9.0 Update Prerelease4
cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease4:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2017-15095

Top countries where our scanners detected CVE-2017-15095

Top open port discovered on systems with this issue 1521

IPs affected by CVE-2017-15095 8,660

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2017-15095!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2017-15095

EPSS FAQ

6.87%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 91 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2017-15095

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2017-15095

CWE-184 Incomplete List of Disallowed Inputs

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

Assigned by: secalert@redhat.com (Secondary)
CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2017-15095

https://access.redhat.com/errata/RHSA-2018:0577

RHSA-2018:0577 - Security Advisory - Red Hat Customer Portal
Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html

Oracle Critical Patch Update Advisory - October 2020
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2017:3189

RHSA-2017:3189 - Security Advisory - Red Hat Customer Portal
Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

CPU Oct 2018
Patch;Third Party Advisory

CVEs referencing this url
https://github.com/FasterXML/jackson-databind/issues/1737

Block more JDK types from polymorphic deserialization (CVE 2017-15095) · Issue #1737 · FasterXML/jackson-databind · GitHub
Issue Tracking;Patch;Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

Oracle Critical Patch Update - April 2018
Patch;Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2018:0481

RHSA-2018:0481 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20171214-0003/

CVE-2017-15095 Jackson JSON Library vulnerability in NetApp Products | NetApp Product Security
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0478

RHSA-2018:0478 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://github.com/FasterXML/jackson-databind/issues/1680

Blacklist couple more types for deserialization · Issue #1680 · FasterXML/jackson-databind · GitHub
Issue Tracking;Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Oracle Critical Patch Update - July 2019
Patch;Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2018:0480

RHSA-2018:0480 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2018:1451

RHSA-2018:1451 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2018:0479

RHSA-2018:0479 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2018:2927

RHSA-2018:2927 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:3149

RHSA-2019:3149 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://www.debian.org/security/2017/dsa-4037

Debian -- Security Information -- DSA-4037-1 jackson-databind
Third Party Advisory
https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629@%3Csolr-user.lucene.apache.org%3E

Re: CVE-2017-7525 fix for Solr 7.7.x - Pony Mail
Mailing List;Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2018:1448

RHSA-2018:1448 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Oracle Critical Patch Update - January 2019
Patch;Third Party Advisory

CVEs referencing this url
http://www.securityfocus.com/bid/103880

FasterXML Jackson-databind CVE-2017-15095 Incomplete Fix Remote Code Execution Vulnerability
Third Party Advisory;VDB Entry
https://access.redhat.com/errata/RHSA-2018:1450

RHSA-2018:1450 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:3892

RHSA-2019:3892 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:2858

RHSA-2019:2858 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2018:0342

RHSA-2018:0342 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

CPU July 2018
Patch;Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2018:1447

RHSA-2018:1447 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html

[SECURITY] [DLA 2091-1] libjackson-json-java security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2018:0576

RHSA-2018:0576 - Security Advisory - Red Hat Customer Portal
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1449

RHSA-2018:1449 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2017:3190

RHSA-2017:3190 - Security Advisory - Red Hat Customer Portal
Third Party Advisory
http://www.securitytracker.com/id/1039769

Jackson Library Deserialization Flaw in jackson-databind Lets Remote Users Execute Arbitrary Code on the Target System - SecurityTracker
Third Party Advisory;VDB Entry