CVE-2017-17485:Remote Code Execution vulnerability in FasterXML jackson-databind due to incomplete fix for CVE-2017-7525

splash
Back

Description Preview

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 contains a vulnerability that allows unauthenticated remote code execution. This vulnerability exists because of an incomplete fix for the previously identified CVE-2017-7525 deserialization flaw. Attackers can exploit this by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, which can bypass the blacklist protection if Spring libraries are available in the classpath.

Overview

The vulnerability affects the jackson-databind library, a popular Java data-binding package that is part of the Jackson JSON processor. The issue stems from an incomplete fix for a previous deserialization vulnerability (CVE-2017-7525). The core problem relates to unsafe deserialization when the defaultTyping feature is enabled, allowing attackers to execute arbitrary code on the affected system.

The vulnerability is particularly dangerous because it can be exploited when Spring libraries are available in the classpath, which is common in many Java applications. When these conditions are met, an attacker can craft malicious JSON input that bypasses the existing blacklist protections and triggers remote code execution when the application attempts to deserialize the data using the ObjectMapper's readValue method.

Remediation

To remediate this vulnerability, take the following actions:

  1. Update jackson-databind to a patched version:

    • For 2.8.x series: Update to 2.8.11 or later
    • For 2.9.x series: Update to 2.9.4 or later

  2. If immediate updating is not possible, implement one of these mitigations:

    • Disable the defaultTyping feature in ObjectMapper if it's not strictly required
    • Implement a custom deserializer that validates input before processing
    • Apply strict input validation before passing JSON to the ObjectMapper
    • Consider using ObjectMapper's enableDefaultTyping method with more restrictive settings

  3. Review your application for any instances where user-controlled input is passed to ObjectMapper.readValue() and ensure proper validation is in place.

  4. If you're using dependency management tools like Maven or Gradle, update your dependencies to ensure you're using secure versions.

References

  1. GitHub issue tracking the vulnerability: https://github.com/FasterXML/jackson-databind/issues/1855
  2. Technical analysis and exploit demonstration: https://github.com/irsl/jackson-rce-via-spel/
  3. NetApp security advisory: https://security.netapp.com/advisory/ntap-20180201-0003/
  4. Red Hat security advisories:
    • https://access.redhat.com/errata/RHSA-2018:0116
    • https://access.redhat.com/errata/RHSA-2018:0342
  5. Debian security advisory: https://www.debian.org/security/2018/dsa-4114
  6. Oracle security advisory: https://www.oracle.com/security-alerts/cpuoct2020.html
  7. HPE security bulletin: https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Manufacturing
    Manufacturing
  2. Public Administration
    Public Administration
  3. Professional, Scientific, & Technical Services
    Professional, Scientific, & Technical Services
  4. Retail Trade
    Retail Trade
  5. Finance and Insurance
    Finance and Insurance
  6. Health Care & Social Assistance
    Health Care & Social Assistance
  7. Arts, Entertainment & Recreation
    Arts, Entertainment & Recreation
  8. Management of Companies & Enterprises
    Management of Companies & Enterprises
  9. Other Services (except Public Administration)
    Other Services (except Public Administration)
  10. Transportation & Warehousing
    Transportation & Warehousing
  11. Educational Services
    Educational Services
  12. Accommodation & Food Services
    Accommodation & Food Services
  13. Administrative, Support, Waste Management & Remediation Services
    Administrative, Support, Waste Management & Remediation Services
  14. Agriculture, Forestry Fishing & Hunting
    Agriculture, Forestry Fishing & Hunting
  15. Construction
    Construction
  16. Information
    Information
  17. Mining
    Mining
  18. Real Estate Rental & Leasing
    Real Estate Rental & Leasing
  19. Utilities
    Utilities
  20. Wholesale Trade
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background