IBMF2BC67EAFE3FB2B6D727749BE51CA6E2C0B10F71672B140D5EFF2E7D2355E378Security Bulletin: Public disclosed vulnerabilities from Jackson-databind affects IBM Spectrum LSF
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
Summary
Public disclosed vulnerabilities from Jackson-databind affects IBM Spectrum LSF: CVE-2017-7525, CVE-2017-15095, CVE-2017-17485, CVE-2018-5968, CVE-2018-7489
Vulnerability Details
CVE-2017-7525
Jackson-databind (Also implemented in JBoss BPM Suite) is vulnerable to remote code execution when deserializing via the readValue() method of ObjectMapper.
CVE-2017-15095
An unauthenticated attacker can create a specially crafted payload that when deserialized in Jackson-databind can lead to Code Execution.
CVE-2017-17485
Deserialization of untrusted user data in Jackson Databind could allow an attacker to perform PHP Object Injection resulting in Remote Code Execution. This issue exists because of an incomplete fix for CVE-2017-7525 which the vendor tried to address through an incomplete blocklist.
CVE-2018-5968
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blocklist.
CVE-2018-7489
FasterXML jackson-databind contains a remote code execution (RCE) vulnerability due to an incomplete fix for the CVE-2017-7525 deserialization flaw. An unauthenticated attacker can exploit this vulnerability via readValue method to execute arbitrary code.
Affected Products and Versions
IBM Spectrum LSF 10.0.0.4
IBM Spectrum LSF 10.0.0.5
IBM Spectrum LSF 10.0.0.6
IBM Spectrum LSF 10.0.0.7
Remediation/Fixes
Product
|
VRMF
|
APAR
|
Remediation / First Fix
β|β|β|β
LSF
|
10.1.0.4
|
None
|
See fix below
LSF
|
10.1.0.5
|
None
|
See fix below
LSF
|
10.1.0.6
|
None
|
See fix below
LSF
|
10.1.0.7
|
None
|
See fix below
Download Fix 512358 from the following location:
http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+LSF&release=All&platform=All&function=fixId&fixids=lsf-10.1-build512358&includeSupersedes=0
-
Go to the patch install directory: cd $LSF_ENVDIR/β¦/10.1/install/
-
Copy the patch file to the install directory $LSF_ENVDIR/β¦/10.1/install/
-
Run patchinstall: ./patchinstall <patch>
-
Run βbadmin mbdrestartβ
Workarounds and Mitigations
| CPE | Name | Operator | Version |
|---|---|---|---|
| platform lsf | eq | any |
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P