CVE-2017-7525 — CRITICAL (9.8)

Q: How severe is CVE-2017-7525?

CVE-2017-7525 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2017-7525?

Check the references section above for vendor advisories and patch information. Affected products include: Fasterxml Jackson-Databind, Debian Debian Linux, Netapp Oncommand Balance, Netapp Oncommand Performance Manager, Netapp Oncommand Shift.

Vulnerability Description

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Fasterxml	Jackson-Databind	< 2.6.7.1
Debian	Debian Linux	8.0
Netapp	Oncommand Balance	-
Netapp	Oncommand Performance Manager	-
Netapp	Oncommand Shift	-
Netapp	Snapcenter	-
Redhat	Openshift Container Platform	4.1
Redhat	Virtualization	4.0
Redhat	Virtualization Host	4.0
Redhat	Enterprise Linux Server	7.0
Redhat	Jboss Enterprise Application Platform	6.0.0
Oracle	Banking Platform	2.5.0
Oracle	Communications Billing And Revenue Management	7.5
Oracle	Communications Communications Policy Management	>= 12.0, <= 12.5.2
Oracle	Communications Diameter Signaling Route	< 8.3
Oracle	Communications Instant Messaging Server	10.0.1
Oracle	Enterprise Manager For Virtualization	13.2.2
Oracle	Financial Services Analytical Applications Infrastructure	8.0.2.0.0
Oracle	Global Lifecycle Management Opatchauto	< 12.2.0.1.14
Oracle	Primavera Unifier	>= 17.1, <= 17.12

Related Weaknesses (CWE)

CWE-184 CWE-502

References

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlPatchThird Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlPatchThird Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlPatchThird Party Advisory
http://www.securityfocus.com/bid/99623Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1039744Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1039947Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1040360Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2017:1834Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1835Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1836Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1837Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1839Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1840Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2477Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2546Third Party Advisory

FAQ

What is CVE-2017-7525?

CVE-2017-7525 is a vulnerability with a CVSS score of 9.8 (CRITICAL). A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciousl...

How severe is CVE-2017-7525?

CVE-2017-7525 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2017-7525?

Check the references section above for vendor advisories and patch information. Affected products include: Fasterxml Jackson-Databind, Debian Debian Linux, Netapp Oncommand Balance, Netapp Oncommand Performance Manager, Netapp Oncommand Shift.