#VU17778 Input validation error in jackson-databind


Published: 2019-02-19

Vulnerability identifier: #VU17778

Vulnerability risk: High

CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-14719

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
jackson-databind
Universal components / Libraries / Libraries used by multiple products

Vendor: FasterXML

Description

The disclosed vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to fail to block blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization. A remote attacker can send a specially crafted request that submits malicious input to execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation
Update to version 2.9.7.

Vulnerable software versions

jackson-databind: 2.9.0 - 2.9.6

External links
http://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44
http://github.com/FasterXML/jackson-databind/issues/2097
http://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7
http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Disconnected Log Collector
Multiple vulnerabilities in IBM Application Performance Management products
Multiple vulnerabilities in IBM Security Verify Governance
Multiple vulnerabilities in IBM B2B Advanced Communications
IBM Log Analysis update for FasterXML jackson-databind
Multiple vulnerabilities in z/Transaction Processing Facility
Multiple vulnerabilities in IBM Process Mining
Multiple vulnerabilities in Red Hat Openshift Logging
Multiple vulnerabilities in Red Hat OpenShift Container Platform
Multiple vulnerabilities in Red Hat Data Grid