CVE-2017-17485
unauthenticated remote code execution vulnerability in com.fasterxml.jackson.core:jackson-databind
What is CVE-2017-17485 About?
This vulnerability in FasterXML jackson-databind allows unauthenticated remote code execution due to an incomplete fix for a prior deserialization flaw. Attackers can exploit this by sending maliciously crafted JSON input to bypass existing blacklists. Successful exploitation can lead to full system compromise.
Affected Software
- com.fasterxml.jackson.core:jackson-databind
- >2.8.0, <2.8.11
- >2.9.0, <2.9.4
- <2.7.9.2
Technical Details
CVE-2017-17485 is an unauthenticated remote code execution vulnerability found in FasterXML jackson-databind versions through 2.8.10 and 2.9.x through 2.9.3. This flaw represents an incomplete patch for the deserialization vulnerability CVE-2017-7525. The core of the issue lies in the ability to deserialize specially crafted JSON input when passed to the `readValue` method of an `ObjectMapper` instance. An attacker can construct a JSON payload that, when deserialized, instantiates a gadget chain that leads to arbitrary code execution. The vulnerability bypasses existing deserialization blacklists, especially when Spring libraries are present in the classpath. This allows an attacker to leverage classes that were intended to be blacklisted but are still exploitable due to the bypass, ultimately achieving remote code execution on the target system.
What is the Impact of CVE-2017-17485?
Successful exploitation may allow attackers to execute arbitrary code on the target system, leading to full system compromise, data exfiltration, or denial-of-service conditions.
What is the Exploitability of CVE-2017-17485?
Exploitation of this remote code execution vulnerability typically involves moderate to high complexity, as it requires crafting specific JSON payloads and knowledge of potentially available gadget chains on the classpath. No authentication is required, making it highly impactful. Privilege requirements are tied to the execution context of the vulnerable application, which could be high. Exploitation is remote, as malicious JSON input can be sent over the network. A key special condition is the presence of Spring libraries in the classpath on the target system, which facilitates the blacklist bypass. The likelihood of exploitation is increased if the application widely accepts JSON input from untrusted sources and uses a vulnerable version of jackson-databind with Spring libraries.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| Al1ex | Link | CVE-2017-17485:Jackson-databind RCE |
| tafamace | Link | PoC for CVE-2017-17485 |
| x7iaob | Link | cve-2017-17485 PoC |
What are the Available Fixes for CVE-2017-17485?
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- <2.7.9.2 → Upgrade to 2.7.9.2
- com.fasterxml.jackson.core:jackson-databind
- >2.8.0, <2.8.11 → Upgrade to 2.8.11
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.4 → Upgrade to 2.9.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://access.redhat.com/errata/RHSA-2018:0478
- https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf
- https://access.redhat.com/errata/RHSA-2018:2930
- https://github.com/FasterXML/jackson-databind/commit/bb45fb16709018842f858f1a6e1118676aaa34bd
- https://access.redhat.com/errata/RHSA-2018:1450
- https://web.archive.org/web/20200927162225/http://www.securityfocus.com/archive/1/541652/100/0/threaded
- https://security.netapp.com/advisory/ntap-20180201-0003
- https://access.redhat.com/errata/RHSA-2018:0481
- https://access.redhat.com/errata/RHSA-2018:1449
- https://github.com/FasterXML/jackson-databind/commit/459107dccc9b3ea991af3e6ad0953e54b01ef7c1
What are Similar Vulnerabilities to CVE-2017-17485?
Similar Vulnerabilities: CVE-2017-7525 , CVE-2018-7489 , CVE-2019-12384 , CVE-2020-35729 , CVE-2020-25649
