CVE-2017-7525
Deserialization flaw vulnerability in jackson-databind (Maven)
What is CVE-2017-7525 About?
This vulnerability is a deserialization flaw in jackson-databind versions before 2.6.7.1, 2.7.9.1, and 2.8.9. It allows an unauthenticated user to achieve remote code execution by sending maliciously crafted input to the `readValue` method of the ObjectMapper. Exploitation is relatively straightforward for an attacker with network access.
Affected Software
- com.fasterxml.jackson.core:jackson-databind
- <2.6.7.1
- >=2.8.0, <2.8.9
- >=2.7.0, <2.7.9.1
Technical Details
The deserialization flaw in jackson-databind exists in its readValue method when processing maliciously crafted JSON input. Attackers can leverage 'gadget chains' of existing classes on the classpath that perform dangerous operations during their deserialization or construction. By injecting specific class names and serialized data, an attacker can coerce the ObjectMapper to instantiate objects that execute arbitrary commands on the system. This typically bypasses the default trust mechanisms of the deserialization process, allowing unauthenticated remote code execution.
What is the Impact of CVE-2017-7525?
Successful exploitation may allow attackers to execute arbitrary code on the affected system, leading to full system compromise, data theft, or denial of service.
What is the Exploitability of CVE-2017-7525?
Exploitation of this vulnerability is of moderate complexity, requiring knowledge of available gadget classes on the target system's classpath. No authentication is required, and access permissions are typically that of the application's process. This is a remote vulnerability, as an attacker can send malicious JSON input over the network to any endpoint that processes it using the vulnerable ObjectMapper. Special conditions involve the presence of vulnerable classes on the classpath that can be leveraged as deserialization gadgets. Risk factors include exposing endpoints that deserialize untrusted data to the internet, and having vulnerable versions of jackson-databind or related libraries in use.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| SecureSkyTechnology | Link | Struts2の脆弱性S2-045, S2-055 および Jackson の脆弱性 CVE-2017-7525, CVE-2017-15095 の調査報告 |
| Nazicc | Link | CVE-2017-7525 S2-055 Exploit |
| JavanXD | Link | Exploiting CVE-2017-7525 demo project with Angular7 frontend and Spring. |
What are the Available Fixes for CVE-2017-7525?
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- <2.6.7.1 → Upgrade to 2.6.7.1
- com.fasterxml.jackson.core:jackson-databind
- >=2.7.0, <2.7.9.1 → Upgrade to 2.7.9.1
- com.fasterxml.jackson.core:jackson-databind
- >=2.8.0, <2.8.9 → Upgrade to 2.8.9
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/FasterXML/jackson-databind/issues/1723
- https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E
- https://access.redhat.com/errata/RHSA-2017:2637
- https://access.redhat.com/errata/RHSA-2017:1834
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E
- https://github.com/FasterXML/jackson-databind/commit/90042692085deeb05ae75c569c9909f7dba24415
- https://access.redhat.com/errata/RHSA-2018:0294
- https://cwiki.apache.org/confluence/display/WW/S2-055
- https://access.redhat.com/errata/RHSA-2018:1450
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
What are Similar Vulnerabilities to CVE-2017-7525?
Similar Vulnerabilities: CVE-2017-15095 , CVE-2018-7489 , CVE-2019-12384 , CVE-2020-36179 , CVE-2020-35728
