Jackson-databind is vulnerable to remote code execution (RCE) attacks. Attackers can exploit an incomplete fix of CVE-2017-7525
to bypass the blacklist when Spring libraries are available on the class path. In order to be vulnerable to this attack, either the use of @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
or @JsonTypeInfo(use = JsonTypeInfo.Id.MINIMAL_CLASS)
or a call to ObjectMapper.enableDefaultTyping(...)
is needed.
www.securityfocus.com/archive/1/541652/100/0/threaded
access.redhat.com/errata/RHSA-2018:0116
access.redhat.com/errata/RHSA-2018:0342
access.redhat.com/errata/RHSA-2018:0478
access.redhat.com/errata/RHSA-2018:0479
access.redhat.com/errata/RHSA-2018:0480
access.redhat.com/errata/RHSA-2018:0481
access.redhat.com/errata/RHSA-2018:1447
access.redhat.com/errata/RHSA-2018:1448
access.redhat.com/errata/RHSA-2018:1449
access.redhat.com/errata/RHSA-2018:1450
access.redhat.com/errata/RHSA-2018:1451
access.redhat.com/errata/RHSA-2018:2930
access.redhat.com/errata/RHSA-2019:1782
access.redhat.com/errata/RHSA-2019:1797
access.redhat.com/errata/RHSA-2019:2858
access.redhat.com/errata/RHSA-2019:3149
access.redhat.com/errata/RHSA-2019:3892
access.redhat.com/security/updates/classification/#important
github.com/FasterXML/jackson-databind/issues/1855
github.com/irsl/jackson-rce-via-spel/
security.netapp.com/advisory/ntap-20180201-0003/
support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us
www.debian.org/security/2018/dsa-4114
www.oracle.com/security-alerts/cpuoct2020.html