[Secure-testing-team] Bug#888318: jackson-databind: CVE-2017-17485

Salvatore Bonaccorso carnil at debian.org
Wed Jan 24 22:11:13 UTC 2018


Source: jackson-databind
Version: 2.9.1-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/FasterXML/jackson-databind/issues/1855

Hi,

the following vulnerability was published for jackson-databind.

CVE-2017-17485[0]:
| FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3
| allows unauthenticated remote code execution because of an incomplete
| fix for the CVE-2017-7525 deserialization flaw. This is exploitable by
| sending maliciously crafted JSON input to the readValue method of the
| ObjectMapper, bypassing a blacklist that is ineffective if the Spring
| libraries are available in the classpath.

Please note in the security-tracker we initially marked this issue as
not-affected, since Red Hat claimed in [2] that it was a incomplete
fix specific to some Red Hat packages.
Could you double-check this and in case this bug was wronly open
report back? But it looks that the corresponding changes would as well
be missing from the Debian package.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-17485
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17485
[1] https://github.com/FasterXML/jackson-databind/issues/1855
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1528565#c0

Please adjust the affected versions in the BTS as needed, in
particular no check for stable and oldstable has been done yet.

Regards,
Salvatore



More information about the Secure-testing-team mailing list