Fix CVE–2018–7489

[debricked-staging]

CVE–2018–7489

Vulnerable dependency:     com.fasterxml.jackson.core:jackson-databind (Maven)    2.3.3

Vulnerability details

Description

Incomplete List of Disallowed Inputs

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete, leading to resultant weaknesses.

GitHub

High severity vulnerability that affects com.fasterxml.jackson.core:jackson-databind

FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

NVD

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

CVSS details - 9.8

 

CVSS3 metrics
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity	High
Availability	High

References

    Red Hat Customer Portal - Access to 24x7 support and knowledge
    NVD - CVE-2018-7489
    Oracle Critical Patch Update Advisory - January 2019
    Oracle Critical Patch Update Advisory - April 2019
    Debian -- Security Information -- DSA-4190-1 jackson-databind
    Document Display | HPE Support Center
    CVE-2018-7489 Jackson JSON Library Vulnerability in NetApp Products | NetApp Product Security
    Block two more gadgets to exploit default typing issue (c3p0, CVE-2018-7489) · Issue #1931 · FasterXML/jackson-databind · GitHub
    Red Hat Customer Portal - Access to 24x7 support and knowledge
    Red Hat Customer Portal - Access to 24x7 support and knowledge
    Red Hat Customer Portal - Access to 24x7 support and knowledge
    Red Hat Customer Portal - Access to 24x7 support and knowledge
    Bugtraq
    Oracle Financial Services Applications Flaws Let Remote Users Access and Modify Data and Gain Elevated Privileges on the Target System - SecurityTracker
    Oracle Database Multiple Bugs Let Remote and Local Users Deny Service and Let Remote Users Modify Data and Gain Elevated Privileges - SecurityTracker
    Red Hat Customer Portal - Access to 24x7 support and knowledge
    Red Hat Customer Portal - Access to 24x7 support and knowledge
    Red Hat Customer Portal - Access to 24x7 support and knowledge
    Red Hat Customer Portal - Access to 24x7 support and knowledge
    Red Hat Customer Portal - Access to 24x7 support and knowledge
    Red Hat Customer Portal - Access to 24x7 support and knowledge
    High severity vulnerability that affects com.fasterxml.jackson.core:jackson-databind · CVE-2018-7489 · GitHub Advisory Database · GitHub
    Oracle Critical Patch Update - April 2018
    Oracle Critical Patch Update Advisory - July 2019
    CPU July 2018
    Oracle Critical Patch Update - October 2018
    Red Hat Customer Portal - Access to 24x7 support and knowledge
    Red Hat Customer Portal - Access to 24x7 support and knowledge
    Oracle Critical Patch Update Advisory - October 2020
    MLIST

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE