Remote code execution in FasterXML jackson-databind



Published: 2018-02-16 | Updated: 2018-03-26
Risk High
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2018-5968
CVE-2018-7489
CWE-ID CWE-502
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
jackson-databind
Universal components / Libraries / Libraries used by multiple products

Vendor FasterXML

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Deserialization of untrusted data

EUVDB-ID: #VU10610

Risk: High

CVSSv3.1:

CVE-ID: CVE-2018-5968

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to deserialization flaw. A remote attacker can supply specially crafted input, execute arbitrary code and bypass a blacklist on the target system.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Update to version 2.8.11.1 or 2.9.4.

Vulnerable software versions

jackson-databind: 2.8.0 - 2.8.11, 2.9.0 - 2.9.3


CPE2.3 External links

http://github.com/FasterXML/jackson-databind/issues/1899

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Deserialization of untrusted data

EUVDB-ID: #VU11268

Risk: High

CVSSv3.1:

CVE-ID: CVE-2018-7489

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote unauthenticated attacker to bypass security restrictions and execute arbitrary code on the target system.

The weakness exists in the readValue method due to improper validation of user-input. A remote attacker can send malicious JSON input, bypass security restrictions and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Update to version 2.8.11.1.

Vulnerable software versions

jackson-databind: 2.0.0 - 2.0.4, 2.1.0 - 2.1.4, 2.3.0 - 2.3.5, 2.4.0 - 2.4.6.1, 2.5.0 - 2.5.5, 2.6.0 - 2.6.8, 2.7.0 - 2.7.9.3, 2.8.0 - 2.8.11, 2.9.0 - 2.9.4


CPE2.3 External links

http://github.com/FasterXML/jackson-databind/issues/1931

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###