CVE-2017-15095
deserialization flaw vulnerability in com.fasterxml.jackson.core:jackson-databind

What is CVE-2017-15095 About?

This vulnerability is a deserialization flaw in jackson-databind, affecting versions prior to 2.8.11 and 2.9.4. It allows an unauthenticated user to perform code execution by sending maliciously crafted input to the `readValue` method. This issue is an extension of CVE-2017-7525, further adding to the list of exploitable classes, and can lead to full system compromise.

Affected Software

Technical Details

CVE-2017-15095 is a deserialization vulnerability in FasterXML jackson-databind, impacting versions prior to 2.8.11 and 2.9.4. This flaw is a continuation of the deserialization issues identified in CVE-2017-7525. It specifically allows an unauthenticated attacker to achieve arbitrary code execution by exploiting the `readValue` method of `ObjectMapper`. The vulnerability arises because `jackson-databind` attempts to deserialize arbitrary attacker-controlled JSON input into Java objects. If the attacker crafts a JSON payload that refers to certain vulnerable classes, which were not explicitly blacklisted or the blacklist mechanism was insufficient, during deserialization these classes can instantiate objects that trigger a 'gadget chain.' This chain then executes arbitrary commands or leverages other system resources, bypassing previous mitigations and leading to remote code execution on the server.

What is the Impact of CVE-2017-15095?

Successful exploitation may allow attackers to execute arbitrary code on the target system, leading to full system compromise, data exfiltration, or denial-of-service conditions.

What is the Exploitability of CVE-2017-15095?

Exploitation of this deserialization vulnerability typically involves moderate to high complexity, as it requires constructing a precise JSON payload to trigger a gadget chain. No authentication is required, making it particularly dangerous. Privilege requirements are related to the execution context of the vulnerable application, which could be high. Exploitation is remote, as it involves sending the crafted JSON input over the network. A special condition is the presence of exploitable classes on the target system's classpath that can be triggered by deserialization. The likelihood of exploitation is significantly increased if the application widely accepts JSON input from untrusted sources and uses a vulnerable version of `jackson-databind`.

What are the Known Public Exploits?

What are the Available Fixes for CVE-2017-15095?

Available Upgrade Options

• com.fasterxml.jackson.core:jackson-databind
  • >2.0.0, <2.6.7.3 → Upgrade to 2.6.7.3
• com.fasterxml.jackson.core:jackson-databind
  • >2.7.0, <2.7.9.2 → Upgrade to 2.7.9.2
• com.fasterxml.jackson.core:jackson-databind
  • >2.8.0, <2.8.11 → Upgrade to 2.8.11
• com.fasterxml.jackson.core:jackson-databind
  • >2.9.0, <2.9.4 → Upgrade to 2.9.4

Additional Resources

• https://access.redhat.com/errata/RHSA-2018:0478
• https://web.archive.org/web/20200401000000*/http://www.securityfocus.com/bid/103880
• http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
• https://github.com/FasterXML/jackson-databind/issues/1680
• https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629@%3Csolr-user.lucene.apache.org%3E
• https://access.redhat.com/errata/RHSA-2018:1450
• https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629%40%3Csolr-user.lucene.apache.org%3E
• https://access.redhat.com/errata/RHSA-2018:0481
• https://access.redhat.com/errata/RHSA-2018:1449
• https://access.redhat.com/errata/RHSA-2018:1448

What are Similar Vulnerabilities to CVE-2017-15095?

Similar Vulnerabilities: CVE-2017-7525 , CVE-2017-17485 , CVE-2018-7489 , CVE-2019-12384 , CVE-2020-35729