Lucene search

K
redhatcveRedhat.comRH:CVE-2018-7489
HistoryDec 06, 2020 - 11:49 a.m.

CVE-2018-7489

2020-12-0611:49:47
redhat.com
access.redhat.com
48

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.939 High

EPSS

Percentile

99.1%

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

Mitigation

Advice on how to remain safe while using JAX-RS webservices on JBoss EAP 7.x is available here:

<https://access.redhat.com/solutions/3279231&gt;
<https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization&gt;

General Mitigation:
Try to avoid

  • Deserialization from sources you do not control
  • enableDefaultTyping()
  • @JsonTypeInfo using id.CLASSorid.MINIMAL_CLASS`

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.939 High

EPSS

Percentile

99.1%