CVE-2017-15095
📋 TL;DR
CVE-2017-15095 is a critical deserialization vulnerability in jackson-databind that allows unauthenticated remote code execution by sending malicious input to ObjectMapper's readValue method. This affects applications using vulnerable versions of jackson-databind (before 2.8.10 or 2.9.1) that deserialize untrusted data. The vulnerability extends previous blacklisting protections from CVE-2017-7525 but still leaves systems exposed to new attack vectors.
💻 Affected Systems
- jackson-databind
- Applications using jackson-databind for JSON processing
- Oracle products listed in advisories
📦 What is this software?
Communications Billing And Revenue Management by Oracle
View all CVEs affecting Communications Billing And Revenue Management →
Communications Billing And Revenue Management by Oracle
View all CVEs affecting Communications Billing And Revenue Management →
Communications Diameter Signaling Router by Oracle
View all CVEs affecting Communications Diameter Signaling Router →
Communications Instant Messaging Server by Oracle
View all CVEs affecting Communications Instant Messaging Server →
Enterprise Manager For Virtualization by Oracle
View all CVEs affecting Enterprise Manager For Virtualization →
Enterprise Manager For Virtualization by Oracle
View all CVEs affecting Enterprise Manager For Virtualization →
Enterprise Manager For Virtualization by Oracle
View all CVEs affecting Enterprise Manager For Virtualization →
Financial Services Analytical Applications Infrastructure by Oracle
View all CVEs affecting Financial Services Analytical Applications Infrastructure →
Financial Services Analytical Applications Infrastructure by Oracle
View all CVEs affecting Financial Services Analytical Applications Infrastructure →
Financial Services Analytical Applications Infrastructure by Oracle
View all CVEs affecting Financial Services Analytical Applications Infrastructure →
Financial Services Analytical Applications Infrastructure by Oracle
View all CVEs affecting Financial Services Analytical Applications Infrastructure →
Financial Services Analytical Applications Infrastructure by Oracle
View all CVEs affecting Financial Services Analytical Applications Infrastructure →
Financial Services Analytical Applications Infrastructure by Oracle
View all CVEs affecting Financial Services Analytical Applications Infrastructure →
Global Lifecycle Management Opatchauto by Oracle
View all CVEs affecting Global Lifecycle Management Opatchauto →
Jboss Enterprise Application Platform by Redhat
View all CVEs affecting Jboss Enterprise Application Platform →
Jboss Enterprise Application Platform by Redhat
View all CVEs affecting Jboss Enterprise Application Platform →
Jboss Enterprise Application Platform by Redhat
View all CVEs affecting Jboss Enterprise Application Platform →
Satellite by Redhat
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary code with application privileges, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Remote code execution leading to application compromise, data exfiltration, and potential pivot to other systems in the environment.
If Mitigated
Limited impact if proper input validation and deserialization controls are implemented, potentially reduced to denial of service or information disclosure.
🎯 Exploit Status
Exploitation requires sending specially crafted JSON payloads to endpoints that use ObjectMapper.readValue() on untrusted input. The vulnerability extends previous blacklisting bypass techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.8.10 or 2.9.1
Vendor Advisory: https://github.com/FasterXML/jackson-databind/issues/1723
Restart Required: Yes
Instructions:
1. Update jackson-databind dependency to version 2.8.10 or later (2.9.1 for 2.9.x branch). 2. Update all transitive dependencies that include vulnerable versions. 3. Restart affected applications. 4. Verify no older versions remain in classpath.
🔧 Temporary Workarounds
Enable default typing blacklist
allConfigure ObjectMapper to use a more restrictive default typing or disable polymorphic deserialization for untrusted sources
ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping(); // Use with caution
mapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, true);
Input validation and filtering
allImplement strict input validation and filtering for JSON payloads before deserialization
// Validate JSON structure before deserialization
// Use whitelisting for allowed classes
// Implement custom deserializers for sensitive types
🧯 If You Can't Patch
- Implement network segmentation to isolate vulnerable applications from untrusted networks
- Deploy web application firewall (WAF) rules to block malicious JSON payloads containing suspicious class names
🔍 How to Verify
Check if Vulnerable:
Check application dependencies for jackson-databind versions before 2.8.10 or 2.9.1 using dependency management tools or examining JAR filesCheck Version:
mvn dependency:tree | grep jackson-databind OR gradle dependencies | grep jackson-databind OR java -cp jackson-databind.jar com.fasterxml.jackson.databind.cfg.PackageVersionVerify Fix Applied:
Verify jackson-databind version is 2.8.10 or later (2.9.1 for 2.9.x) and test deserialization with known malicious payloads📡 Detection & Monitoring
Log Indicators:
- Unusual deserialization errors
- Stack traces containing ClassNotFoundException or NoClassDefFoundError for unexpected classes
- Large or malformed JSON payloads in request logs
Network Indicators:
- HTTP requests with JSON payloads containing unusual class names or serialized object patterns
- Requests to JSON endpoints with content-types that trigger deserialization
SIEM Query:
source="web_logs" AND (http_method="POST" OR http_method="PUT") AND content_type="application/json" AND (url_path="*api*" OR url_path="*rest*") AND (payload CONTAINS "java.lang.Class" OR payload CONTAINS "com.sun.")🔗 References
- http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
- http://www.securityfocus.com/bid/103880
- http://www.securitytracker.com/id/1039769
- https://access.redhat.com/errata/RHSA-2017:3189
- https://access.redhat.com/errata/RHSA-2017:3190
- https://access.redhat.com/errata/RHSA-2018:0342
- https://access.redhat.com/errata/RHSA-2018:0478
- https://access.redhat.com/errata/RHSA-2018:0479
- https://access.redhat.com/errata/RHSA-2018:0480
- https://access.redhat.com/errata/RHSA-2018:0481
- https://access.redhat.com/errata/RHSA-2018:0576
- https://access.redhat.com/errata/RHSA-2018:0577
- https://access.redhat.com/errata/RHSA-2018:1447
- https://access.redhat.com/errata/RHSA-2018:1448
- https://access.redhat.com/errata/RHSA-2018:1449
- https://access.redhat.com/errata/RHSA-2018:1450
- https://access.redhat.com/errata/RHSA-2018:1451
- https://access.redhat.com/errata/RHSA-2018:2927
- https://access.redhat.com/errata/RHSA-2019:2858
- https://access.redhat.com/errata/RHSA-2019:3149
- https://access.redhat.com/errata/RHSA-2019:3892
- https://github.com/FasterXML/jackson-databind/issues/1680
- https://github.com/FasterXML/jackson-databind/issues/1737
- https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629%40%3Csolr-user.lucene.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html
- https://security.netapp.com/advisory/ntap-20171214-0003/
- https://www.debian.org/security/2017/dsa-4037
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
- http://www.securityfocus.com/bid/103880
- http://www.securitytracker.com/id/1039769
- https://access.redhat.com/errata/RHSA-2017:3189
- https://access.redhat.com/errata/RHSA-2017:3190
- https://access.redhat.com/errata/RHSA-2018:0342
- https://access.redhat.com/errata/RHSA-2018:0478
- https://access.redhat.com/errata/RHSA-2018:0479
- https://access.redhat.com/errata/RHSA-2018:0480
- https://access.redhat.com/errata/RHSA-2018:0481
- https://access.redhat.com/errata/RHSA-2018:0576
- https://access.redhat.com/errata/RHSA-2018:0577
- https://access.redhat.com/errata/RHSA-2018:1447
- https://access.redhat.com/errata/RHSA-2018:1448
- https://access.redhat.com/errata/RHSA-2018:1449
- https://access.redhat.com/errata/RHSA-2018:1450
- https://access.redhat.com/errata/RHSA-2018:1451
- https://access.redhat.com/errata/RHSA-2018:2927
- https://access.redhat.com/errata/RHSA-2019:2858
- https://access.redhat.com/errata/RHSA-2019:3149
- https://access.redhat.com/errata/RHSA-2019:3892
- https://github.com/FasterXML/jackson-databind/issues/1680
- https://github.com/FasterXML/jackson-databind/issues/1737
- https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629%40%3Csolr-user.lucene.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html
- https://security.netapp.com/advisory/ntap-20171214-0003/
- https://www.debian.org/security/2017/dsa-4037
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
