#VU10610 Deserialization of untrusted data in jackson-databind


Published: 2018-02-16

Vulnerability identifier: #VU10610

Vulnerability risk: High

CVSSv3.1:

CVE-ID: CVE-2018-5968

CWE-ID: CWE-502

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
jackson-databind
Universal components / Libraries / Libraries used by multiple products

Vendor: FasterXML

Description
The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to deserialization flaw. A remote attacker can supply specially crafted input, execute arbitrary code and bypass a blacklist on the target system.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation
Update to version 2.8.11.1 or 2.9.4.

Vulnerable software versions

jackson-databind: 2.8.0 - 2.8.11, 2.9.0 - 2.9.3

CPE

External links
http://github.com/FasterXML/jackson-databind/issues/1899

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Business Automation Workflow
Multiple vulnerabilities in z/Transaction Processing Facility
Red Hat update for OpenShift Container Platform logging-elasticsearch5-container
Red Hat update for OpenShift Container Platform 4.1.18 logging-elasticsearch5
Red Hat update for jackson-databind
Red Hat JBoss Enterprise Application Platform 7.1.1 for Red Hat Enterprise Linux 6 and Red Hat JBoss Enterprise Application Platform 7.1.1 for Red Hat Enterprise Linux 7 update for eap7-jboss-ec2-eap
Debian update for jackson-databind
Remote code execution in FasterXML jackson-databind