#VU10610 Deserialization of untrusted data in jackson-databind


Published: 2018-02-16

Vulnerability identifier: #VU10610

Vulnerability risk: High

CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-5968

CWE-ID: CWE-502

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
jackson-databind
Universal components / Libraries / Libraries used by multiple products

Vendor: FasterXML

Description
The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to deserialization flaw. A remote attacker can supply specially crafted input, execute arbitrary code and bypass a blacklist on the target system.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation
Update to version 2.8.11.1 or 2.9.4.

Vulnerable software versions

jackson-databind: 2.8.0 - 2.8.11, 2.9.0 - 2.9.3

External links
http://github.com/FasterXML/jackson-databind/issues/1899

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Application Performance Management products
Multiple vulnerabilities in IBM Business Automation Workflow
Multiple vulnerabilities in z/Transaction Processing Facility
Red Hat update for OpenShift Container Platform logging-elasticsearch5-container
Red Hat update for OpenShift Container Platform 4.1.18 logging-elasticsearch5
Red Hat update for jackson-databind
Red Hat JBoss Enterprise Application Platform 7.1.1 for Red Hat Enterprise Linux 6 and Red Hat JBoss Enterprise Application Platform 7.1.1 for Red Hat Enterprise Linux 7 update for eap7-jboss-ec2-eap
Debian update for jackson-databind
Remote code execution in FasterXML jackson-databind