(RHSA-2018:0116) Important: rh-eclipse46-jackson-databind security update

2018-01-23T10:27:26
ID RHSA-2018:0116
Type redhat
Reporter RedHat
Modified 2018-04-23T11:41:50

Description

The jackson-databind package provides general data-binding functionality for Jackson, which works on top of Jackson core streaming API.

Security Fix(es):

  • A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending maliciously crafted input to the readValue method of ObjectMapper. This issue extends upon the previous flaws CVE-2017-7525 and CVE-2017-15095 by blacklisting more classes that could be used maliciously. (CVE-2017-17485)

Red Hat would like to thank 0c0c0f from 360观星实验室 for reporting this issue.