CVE-2017-15095 — CRITICAL (9.8)

Q: How severe is CVE-2017-15095?

CVE-2017-15095 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2017-15095?

Check the references section above for vendor advisories and patch information. Affected products include: Fasterxml Jackson-Databind, Debian Debian Linux, Redhat Openshift Container Platform, Redhat Satellite, Redhat Satellite Capsule.

Vulnerability Description

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Fasterxml	Jackson-Databind	>= 2.0.0, < 2.6.7.2
Debian	Debian Linux	8.0
Redhat	Openshift Container Platform	3.11
Redhat	Satellite	6.4
Redhat	Satellite Capsule	6.4
Redhat	Enterprise Linux	7.0
Redhat	Jboss Enterprise Application Platform	6.0.0
Netapp	Oncommand Balance	-
Netapp	Oncommand Performance Manager	-
Netapp	Oncommand Shift	-
Netapp	Snapcenter	-
Oracle	Banking Platform	2.5.0
Oracle	Clusterware	12.1.0.2.0
Oracle	Communications Billing And Revenue Management	7.5
Oracle	Communications Diameter Signaling Router	< 8.3
Oracle	Communications Instant Messaging Server	10.0.1.2.0
Oracle	Database Server	12.2.0.1
Oracle	Enterprise Manager For Virtualization	13.2.2
Oracle	Financial Services Analytical Applications Infrastructure	8.0.2
Oracle	Global Lifecycle Management Opatchauto	< 12.2.0.1.14

Related Weaknesses (CWE)

CWE-184 CWE-502

References

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlPatchThird Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlPatchThird Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlPatchThird Party Advisory
http://www.securityfocus.com/bid/103880Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1039769Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2017:3189Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3190Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0342Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0478Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0479Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0480Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0481Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0576Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0577Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1447Third Party Advisory

FAQ

What is CVE-2017-15095?

CVE-2017-15095 is a vulnerability with a CVSS score of 9.8 (CRITICAL). A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafte...

How severe is CVE-2017-15095?

CVE-2017-15095 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2017-15095?

Check the references section above for vendor advisories and patch information. Affected products include: Fasterxml Jackson-Databind, Debian Debian Linux, Redhat Openshift Container Platform, Redhat Satellite, Redhat Satellite Capsule.