CVE-2018-7489
Unauthenticated remote code execution vulnerability in jackson-databind (Maven)
What is CVE-2018-7489 About?
This vulnerability allows unauthenticated remote code execution in FasterXML jackson-databind due to an incomplete fix for a deserialization flaw. Attackers can send maliciously crafted JSON input to bypass existing blacklists and execute arbitrary code. The exploitability is moderate, relying on the presence of specific libraries.
Affected Software
- com.fasterxml.jackson.core:jackson-databind
- >2.7.0, <2.7.9.3
- <2.6.7.5
- >2.9.0, <2.9.5
- >2.8.0, <2.8.11.1
Technical Details
The vulnerability in FasterXML jackson-databind (before versions 2.6.7.5, 2.7.9.3, 2.8.11.1, and 2.9.5) stems from an incomplete patch for the deserialization flaw CVE-2017-7525. Attackers can achieve unauthenticated remote code execution by sending specially crafted JSON input to the readValue method of ObjectMapper. This bypasses the serialization gadget blacklist, specifically if the c3p0 libraries are available in the application's classpath. The crafted JSON payloads leverage objects from these libraries to achieve code execution during deserialization.
What is the Impact of CVE-2018-7489?
Successful exploitation may allow attackers to execute arbitrary code on the server, leading to full system compromise, data exfiltration, or denial of service.
What is the Exploitability of CVE-2018-7489?
Exploitation requires the target application to use FasterXML jackson-databind within the specified vulnerable versions and have the c3p0 libraries present in its classpath. The attacker needs to be able to send maliciously crafted JSON input to a method that performs deserialization, such as ObjectMapper.readValue(). Authentication is not required, as the vulnerability is in the data processing itself. Privilege requirements are the privileges of the application running the vulnerable deserialization. This is a remote exploitation scenario, requiring network access to the application's API endpoint. The main constraint is the presence of the c3p0 libraries, which increases the likelihood of a successful attack if met.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| tafamace | Link | PoC for CVE-2018-7489 |
What are the Available Fixes for CVE-2018-7489?
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- <2.6.7.5 → Upgrade to 2.6.7.5
- com.fasterxml.jackson.core:jackson-databind
- >2.7.0, <2.7.9.3 → Upgrade to 2.7.9.3
- com.fasterxml.jackson.core:jackson-databind
- >2.8.0, <2.8.11.1 → Upgrade to 2.8.11.1
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.5 → Upgrade to 2.9.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://access.redhat.com/errata/RHSA-2018:2938
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
- https://www.debian.org/security/2018/dsa-4190
- https://github.com/FasterXML/jackson-databind/commit/ca2bfc86af82a1479112004b663ba74c760752e6
- https://access.redhat.com/errata/RHSA-2018:1786
- https://access.redhat.com/errata/RHSA-2018:2088
- http://www.securitytracker.com/id/1041890
- https://access.redhat.com/errata/RHSA-2018:1450
- https://access.redhat.com/errata/RHSA-2018:1449
- https://access.redhat.com/errata/RHSA-2018:1448
What are Similar Vulnerabilities to CVE-2018-7489?
Similar Vulnerabilities: CVE-2017-7525 , CVE-2020-36179 , CVE-2020-25649 , CVE-2017-15095 , CVE-2019-12384
