CVE-2017-15095

Description

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

How to fix CVE-2017-15095

To remediate CVE-2017-15095, upgrade the affected package to a fixed version below.

• —upgrade to 2.9.1-1 or later
• —upgrade to 2.4.2-2+deb8u2 or later
• —upgrade to 1.9.13-2 or later
• —upgrade to 1.9.2-3+deb8u1 or later
• —upgrade to 1.9.2-8+deb9u1 or later
• —upgrade to 2.8.11 or later

Is CVE-2017-15095 being exploited?

Moderate — EPSS is 7.9%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (6)

• from 0, < 2.9.1-1
• from 0, < 2.4.2-2+deb8u2
• from 0, < 1.9.13-2
• from 0, < 1.9.2-3+deb8u1
• from 0, < 1.9.2-8+deb9u1
• >= 2.8.0, < 2.8.11

CVSS scores

References (41)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-15095
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2017-15095
• PATCHgithub.com/FasterXML/jackson-databind
• WEBaccess.redhat.com/errata/RHSA-2017:3189
• WEB