Uploaded image for project: 'Reactive JVM Platform'
  1. Reactive JVM Platform
  2. ENTVTX-156 Product Release 3.4.2 P02
  3. ENTVTX-155

CVE-2018-7489 jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries [vertx-3.4.2]

XMLWordPrintable

      Security Tracking Issue

      Do not make this issue public.

      This bug is subject to the Security Errata Policy.

      The overall impact of the blocking security issue(s) is Moderate. Based on this impact, this bug must be resolved by 26-Feb-2019.

      Please refer to the Security Errata Policy documentation for further details: https://docs.prodsec.redhat.com/policy-guide/#policy-errata

      Flaw:

      CVE-2018-7489 jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries
      https://bugzilla.redhat.com/show_bug.cgi?id=1549276

      FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

      Upstream issue:

      https://github.com/FasterXML/jackson-databind/issues/1931

      Upstream patch:

      https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2

              rhn-engineering-rruss Rodney Russ
              rhn-support-jshepher Jason Shepherd
              Andrea Vibelli, Bruno Georges, Charles Moulliard, Jason Shepherd, Jay Balunas, Jiri Pallich, Kunjan Rathod (Inactive), Ladislav Thon, Michal Szynkiewicz (Inactive), Paul Gallagher, Rodney Russ, Travis Rogers (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: