Rapid7 Vulnerability & Exploit Database

Red Hat JBoss EAP: Deserialization of Untrusted Data (CVE-2017-15095)

Free InsightVM Trial No Credit Card Necessary

Watch Demo See how it all works

Back to Search

Red Hat JBoss EAP: Deserialization of Untrusted Data (CVE-2017-15095)

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:P/A:P)

Published

02/06/2018

Created

11/23/2019

Added

11/14/2019

Modified

11/08/2023

Description

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

Solution(s)

red-hat-jboss-eap-upgrade-6_4_20
red-hat-jboss-eap-upgrade-7_1_1

References

https://attackerkb.com/topics/cve-2017-15095
103880
CVE - 2017-15095
DSA-4037
RHSA-2017:3189
RHSA-2017:3190
RHSA-2018:0342
RHSA-2018:0478
RHSA-2018:0479
RHSA-2018:0480
RHSA-2018:0481
RHSA-2018:0576
RHSA-2018:0577
RHSA-2018:1447
RHSA-2018:1448
RHSA-2018:1449
RHSA-2018:1450
RHSA-2018:1451
RHSA-2018:2927
RHSA-2019:2858
RHSA-2019:3149
RHSA-2019:3892
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
http://www.securityfocus.com/bid/103880
http://www.securitytracker.com/id/1039769
https://access.redhat.com/errata/RHSA-2017:3189
https://access.redhat.com/errata/RHSA-2017:3190
https://access.redhat.com/errata/RHSA-2018:0342
https://access.redhat.com/errata/RHSA-2018:0478
https://access.redhat.com/errata/RHSA-2018:0479
https://access.redhat.com/errata/RHSA-2018:0480
https://access.redhat.com/errata/RHSA-2018:0481
https://access.redhat.com/errata/RHSA-2018:0576
https://access.redhat.com/errata/RHSA-2018:0577
https://access.redhat.com/errata/RHSA-2018:1447
https://access.redhat.com/errata/RHSA-2018:1448
https://access.redhat.com/errata/RHSA-2018:1449
https://access.redhat.com/errata/RHSA-2018:1450
https://access.redhat.com/errata/RHSA-2018:1451
https://access.redhat.com/errata/RHSA-2018:2927
https://access.redhat.com/errata/RHSA-2019:2858
https://access.redhat.com/errata/RHSA-2019:3149
https://access.redhat.com/errata/RHSA-2019:3892
https://github.com/FasterXML/jackson-databind/issues/1680
https://github.com/FasterXML/jackson-databind/issues/1737
https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629%40%3Csolr-user.lucene.apache.org%3E
https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html
https://security.netapp.com/advisory/ntap-20171214-0003/
https://www.debian.org/security/2017/dsa-4037
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Advanced vulnerability management analytics and reporting.

Key Features

Free InsightVM Trial View All Features

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;

Rapid7 Vulnerability & Exploit Database

Red Hat JBoss EAP: Deserialization of Untrusted Data (CVE-2017-15095)

Red Hat JBoss EAP: Deserialization of Untrusted Data (CVE-2017-15095)

Description

Solution(s)

References

Success! Thank you for submission. We will be in touch shortly.

Oops! There was a problem in submission. Please try again.

Submit your information and we will get in touch with you.