CVE-2018-7489
Unauthenticated remote code execution vulnerability in com.fasterxml.jackson.core:jackson-databind
What is CVE-2018-7489 About?
This vulnerability allows unauthenticated remote code execution in FasterXML jackson-databind due to an incomplete fix for a deserialization flaw. Attackers can send maliciously crafted JSON input to bypass existing blacklists and execute arbitrary code. The exploitability is moderate, relying on the presence of specific libraries.
Affected Software
- com.fasterxml.jackson.core:jackson-databind
- >2.7.0, <2.7.9.3
- <2.6.7.5
- >2.9.0, <2.9.5
- >2.8.0, <2.8.11.1
Technical Details
The vulnerability in FasterXML jackson-databind (before versions 2.6.7.5, 2.7.9.3, 2.8.11.1, and 2.9.5) stems from an incomplete patch for the deserialization flaw CVE-2017-7525. Attackers can achieve unauthenticated remote code execution by sending specially crafted JSON input to the `readValue` method of ObjectMapper. This bypasses the serialization gadget blacklist, specifically if the `c3p0` libraries are available in the application's classpath. The crafted JSON payloads leverage objects from these libraries to achieve code execution during deserialization.
What is the Impact of CVE-2018-7489?
Successful exploitation may allow attackers to execute arbitrary code on the server, leading to full system compromise, data exfiltration, or denial of service.
What is the Exploitability of CVE-2018-7489?
Exploitation requires the target application to use FasterXML jackson-databind within the specified vulnerable versions and have the `c3p0` libraries present in its classpath. The attacker needs to be able to send maliciously crafted JSON input to a method that performs deserialization, such as `ObjectMapper.readValue()`. Authentication is not required, as the vulnerability is in the data processing itself. Privilege requirements are the privileges of the application running the vulnerable deserialization. This is a remote exploitation scenario, requiring network access to the application's API endpoint. The main constraint is the presence of the `c3p0` libraries, which increases the likelihood of a successful attack if met.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| tafamace | Link | PoC for CVE-2018-7489 |
What are the Available Fixes for CVE-2018-7489?
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-databind
- <2.6.7.5 → Upgrade to 2.6.7.5
- com.fasterxml.jackson.core:jackson-databind
- >2.7.0, <2.7.9.3 → Upgrade to 2.7.9.3
- com.fasterxml.jackson.core:jackson-databind
- >2.8.0, <2.8.11.1 → Upgrade to 2.8.11.1
- com.fasterxml.jackson.core:jackson-databind
- >2.9.0, <2.9.5 → Upgrade to 2.9.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://access.redhat.com/errata/RHSA-2018:2938
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
- https://www.debian.org/security/2018/dsa-4190
- https://github.com/FasterXML/jackson-databind/commit/ca2bfc86af82a1479112004b663ba74c760752e6
- https://access.redhat.com/errata/RHSA-2018:1786
- https://access.redhat.com/errata/RHSA-2018:2088
- http://www.securitytracker.com/id/1041890
- https://access.redhat.com/errata/RHSA-2018:1450
- https://access.redhat.com/errata/RHSA-2018:1449
- https://access.redhat.com/errata/RHSA-2018:1448
What are Similar Vulnerabilities to CVE-2018-7489?
Similar Vulnerabilities: CVE-2017-7525 , CVE-2020-36179 , CVE-2020-25649 , CVE-2017-15095 , CVE-2019-12384
