Public disclosed vulnerabilities from Jackson-databind affects IBM Spectrum LSF: CVE-2017-7525, CVE-2017-15095, CVE-2017-17485, CVE-2018-5968, CVE-2018-7489
CVE-2017-7525
Jackson-databind (Also implemented in JBoss BPM Suite) is vulnerable to remote code execution when deserializing via the readValue()
method of ObjectMapper
.
CVE-2017-15095
An unauthenticated attacker can create a specially crafted payload that when deserialized in Jackson-databind
can lead to Code Execution.
CVE-2017-17485
Deserialization of untrusted user data in Jackson Databind could allow an attacker to perform PHP Object Injection resulting in Remote Code Execution. This issue exists because of an incomplete fix for CVE-2017-7525 which the vendor tried to address through an incomplete blocklist.
CVE-2018-5968
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blocklist.
CVE-2018-7489
FasterXML jackson-databind contains a remote code execution (RCE) vulnerability due to an incomplete fix for the CVE-2017-7525 deserialization flaw. An unauthenticated attacker can exploit this vulnerability via readValue
method to execute arbitrary code.
IBM Spectrum LSF 10.0.0.4
IBM Spectrum LSF 10.0.0.5
IBM Spectrum LSF 10.0.0.6
IBM Spectrum LSF 10.0.0.7
Product
|
VRMF
|
APAR
|
Remediation / First Fix
β|β|β|β
LSF
|
10.1.0.4
|
None
|
See fix below
LSF
|
10.1.0.5
|
None
|
See fix below
LSF
|
10.1.0.6
|
None
|
See fix below
LSF
|
10.1.0.7
|
None
|
See fix below
Download Fix 512358 from the following location:
http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+LSF&release=All&platform=All&function=fixId&fixids=lsf-10.1-build512358&includeSupersedes=0
Go to the patch install directory: cd $LSF_ENVDIR/β¦/10.1/install/
Copy the patch file to the install directory $LSF_ENVDIR/β¦/10.1/install/
Run patchinstall: ./patchinstall <patch>
Run βbadmin mbdrestartβ
CPE | Name | Operator | Version |
---|---|---|---|
platform lsf | eq | any |