Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.DEBIAN_DSA-4114.NASL
HistoryFeb 16, 2018 - 12:00 a.m.

Debian DSA-4114-1 : jackson-databind - security update

2018-02-1600:00:00
This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
8
JSON

It was discovered that jackson-databind, a Java library used to parse JSON and other data formats, did not properly validate user input before attempting deserialization. This allowed an attacker to perform code execution by providing maliciously crafted input.

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-4114. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(106853);
  script_version("3.3");
  script_cvs_date("Date: 2018/11/13 12:30:46");

  script_cve_id("CVE-2017-17485", "CVE-2018-5968");
  script_xref(name:"DSA", value:"4114");

  script_name(english:"Debian DSA-4114-1 : jackson-databind - security update");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"It was discovered that jackson-databind, a Java library used to parse
JSON and other data formats, did not properly validate user input
before attempting deserialization. This allowed an attacker to perform
code execution by providing maliciously crafted input."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888316"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888318"
  );
  # https://security-tracker.debian.org/tracker/source-package/jackson-databind
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?61134ddf"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/jessie/jackson-databind"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/stretch/jackson-databind"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.debian.org/security/2018/dsa-4114"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the jackson-databind packages.

For the oldstable distribution (jessie), these problems have been
fixed in version 2.4.2-2+deb8u3.

For the stable distribution (stretch), these problems have been fixed
in version 2.8.6-1+deb9u3."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:jackson-databind");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2018/02/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/02/16");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"8.0", prefix:"libjackson2-databind-java", reference:"2.4.2-2+deb8u3")) flag++;
if (deb_check(release:"8.0", prefix:"libjackson2-databind-java-doc", reference:"2.4.2-2+deb8u3")) flag++;
if (deb_check(release:"9.0", prefix:"libjackson2-databind-java", reference:"2.8.6-1+deb9u3")) flag++;
if (deb_check(release:"9.0", prefix:"libjackson2-databind-java-doc", reference:"2.8.6-1+deb9u3")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
VendorProductVersionCPE
debiandebian_linuxjackson-databindp-cpe:/a:debian:debian_linux:jackson-databind
debiandebian_linux8.0cpe:/o:debian:debian_linux:8.0
debiandebian_linux9.0cpe:/o:debian:debian_linux:9.0

Related

debian 2
openvas 3
mageia 1
osv 6
debiancve 2
github 3
redhatcve 3
cve 3
ibm 22
ubuntucve 2
prion 3
veracode 3
fedora 2
seebug 1
nessus 10
redhat 18
checkpoint_advisories 1
hp 1
oracle 1
debian
debian
[SECURITY] [DSA 4114-1] jackson-databind security update
2018-02-15 07:04:58
[SECURITY] [DSA 4114-1] jackson-databind security update
2018-02-15 07:04:58
openvas
openvas
Debian Security Advisory DSA 4114-1 (jackson-databind - security update)
2018-02-15 00:00:00
Fedora Update for jackson-databind FEDORA-2018-bbf8c38b51
2018-02-08 00:00:00
Fedora Update for jackson-databind FEDORA-2018-e4b025841e
2018-02-08 00:00:00
mageia
mageia
Updated jackson-databind packages fix security vulnerability
2018-02-25 02:25:24
osv
osv
jackson-databind - security update
2018-02-15 00:00:00
Deserialization of Untrusted Data in jackson-databind
2020-06-30 20:40:50
CVE-2018-5968
2018-01-22 04:29:00
debiancve
debiancve
CVE-2018-5968
2018-01-22 04:29:00
CVE-2017-17485
2018-01-10 18:29:00
github
github
Deserialization of Untrusted Data in jackson-databind
2020-06-30 20:40:50
jackson-databind vulnerable to remote code execution due to incorrect deserialization and blocklist bypass
2018-10-18 17:42:48
Deserialization of Untrusted Data in org.codehaus.jackson:jackson-mapper-asl
2022-05-24 16:57:28
redhatcve
redhatcve
CVE-2018-5968
2020-04-09 12:20:28
CVE-2019-10202
2019-10-12 02:27:16
CVE-2017-17485
2020-04-09 07:26:09
cve
cve
CVE-2018-5968
2018-01-22 04:29:00
CVE-2017-17485
2018-01-10 18:29:00
CVE-2019-10202
2019-10-01 15:15:00
ibm
ibm
Security Bulletin: Multiple vulnerabilities has been identified in Jackson JSON library shipped with IBM Tivoli Netcool/OMNIbus Integrations Transport Module Common Integration Library (CVE-2017-17485, CVE-2018-5968, CVE-2018-7489)
2018-06-17 15:51:29
Security Bulletin: Multiple vulnerabilities in Jackson-databind affect IBM InfoSphere Information Server
2018-07-12 00:16:00
Security Bulletin: Multiple vulnerabilities within Jackson JSON library affect IBM Business Automation Workflow (CVE-2017-17485, CVE-2018-5968, CVE-2018-7489)
2023-01-03 15:55:34
ubuntucve
ubuntucve
CVE-2018-5968
2018-01-22 00:00:00
CVE-2017-17485
2018-01-10 00:00:00
prion
prion
Remote code execution
2018-01-22 04:29:00
Design/Logic Flaw
2018-01-10 18:29:00
Deserialization of untrusted data
2019-10-01 15:15:00
veracode
veracode
Remote Code Execution (RCE)
2018-01-22 07:53:13
Remote Code Execution (RCE)
2019-01-15 09:20:28
Remote Code Execution (RCE)
2018-01-11 02:20:08
fedora
fedora
[SECURITY] Fedora 26 Update: jackson-databind-2.7.6-8.fc26
2018-02-07 13:00:23
[SECURITY] Fedora 27 Update: jackson-databind-2.7.6-8.fc27
2018-02-07 13:18:19
seebug
seebug
Jackson-databind θΏœη¨‹δ»£η ζ‰§θ‘ŒζΌζ΄ž(CVE-2017-17485)
2018-01-11 00:00:00
nessus
nessus
RHEL 7 : Virtualization (RHSA-2018:1525)
2018-05-18 00:00:00
RHEL 6 : JBoss EAP (RHSA-2018:0479)
2018-03-14 00:00:00
RHEL 7 : rh-maven35-jackson-databind (RHSA-2018:0342)
2018-04-30 00:00:00
redhat
redhat
(RHSA-2018:1525) Important: rhvm-appliance security and enhancement update
2018-05-15 18:44:54
(RHSA-2018:0116) Important: rh-eclipse46-jackson-databind security update
2018-01-23 05:27:26
(RHSA-2018:0479) Important: JBoss Enterprise Application Platform 7.1.1 on RHEL 6
2018-03-12 16:34:40
checkpoint_advisories
checkpoint_advisories
Apache Struts2 Jackson Library Remote Code Execution (CVE-2017-15095; CVE-2017-17485; CVE-2017-7525; CVE-2018-7489)
2017-12-05 00:00:00
hp
hp
HP Device Manager Security Updates
2023-10-20 00:00:00
oracle
oracle
Oracle Critical Patch Update Advisory - October 2020
2020-10-20 00:00:00
JSON
Related for DEBIAN_DSA-4114.NASL
debian2openvas3mageia1osv6debiancve2github3redhatcve3cve3ibm22ubuntucve2prion3veracode3fedora2seebug1nessus10redhat18checkpoint_advisories1hp1oracle1