FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.

The remote Redhat Enterprise Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2018:1525 advisory.

  - undertow: Client can use bogus uri in Digest authentication (CVE-2017-12196)

  - ovirt-engine: account enumeration through login to web console (CVE-2018-1073)

  - dhcp: Command injection vulnerability in the DHCP client NetworkManager integration script (CVE-2018-1111)

  - jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and     CVE-2017-17485) (CVE-2018-5968)

  - python-paramiko: Authentication bypass in transport.py (CVE-2018-7750)

  - slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution     (CVE-2018-8088)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:0481 advisory.

  - resteasy: Vary header not added by CORS filter leading to cache poisoning (CVE-2017-7561)

  - artemis/hornetq: memory exhaustion via UDP and JGroups discovery (CVE-2017-12174)

  - undertow: Client can use bogus uri in Digest authentication (CVE-2017-12196)

  - infinispan: Unsafe deserialization of malicious object injected into data cache (CVE-2017-15089)

  - jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525)     (CVE-2017-15095)

  - jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095)     (CVE-2017-17485)

  - undertow: ALLOW_ENCODED_SLASH option not taken into account in the AjpRequestParser (CVE-2018-1048)

  - jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and     CVE-2017-17485) (CVE-2018-5968)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:0480 advisory.

  - resteasy: Vary header not added by CORS filter leading to cache poisoning (CVE-2017-7561)

  - artemis/hornetq: memory exhaustion via UDP and JGroups discovery (CVE-2017-12174)

  - undertow: Client can use bogus uri in Digest authentication (CVE-2017-12196)

  - infinispan: Unsafe deserialization of malicious object injected into data cache (CVE-2017-15089)

  - jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525)     (CVE-2017-15095)

  - jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095)     (CVE-2017-17485)

  - undertow: ALLOW_ENCODED_SLASH option not taken into account in the AjpRequestParser (CVE-2018-1048)

  - jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and     CVE-2017-17485) (CVE-2018-5968)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:0479 advisory.

  - resteasy: Vary header not added by CORS filter leading to cache poisoning (CVE-2017-7561)

  - artemis/hornetq: memory exhaustion via UDP and JGroups discovery (CVE-2017-12174)

  - undertow: Client can use bogus uri in Digest authentication (CVE-2017-12196)

  - infinispan: Unsafe deserialization of malicious object injected into data cache (CVE-2017-15089)

  - jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525)     (CVE-2017-15095)

  - jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095)     (CVE-2017-17485)

  - undertow: ALLOW_ENCODED_SLASH option not taken into account in the AjpRequestParser (CVE-2018-1048)

  - jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and     CVE-2017-17485) (CVE-2018-5968)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It was discovered that jackson-databind, a Java library used to parse JSON and other data formats, did not properly validate user input before attempting deserialization. This allowed an attacker to perform code execution by providing maliciously crafted input.

ID	Name	Product	Family	Severity
109910	RHEL 7 : rhvm-appliance (RHSA-2018:1525)	Nessus	Red Hat Local Security Checks	critical
108325	RHEL 6 / 7 : jboss-ec2-eap package for EAP 7.1.1 (Important) (RHSA-2018:0481)	Nessus	Red Hat Local Security Checks	critical
108324	RHEL 7 : JBoss Enterprise Application Platform 7.1.1 for RHEL 7 (Important) (RHSA-2018:0480)	Nessus	Red Hat Local Security Checks	critical
108323	RHEL 6 : JBoss Enterprise Application Platform 7.1.1 on RHEL 6 (Important) (RHSA-2018:0479)	Nessus	Red Hat Local Security Checks	critical
106853	Debian DSA-4114-1 : jackson-databind - security update	Nessus	Debian Local Security Checks	critical

Detections

Analytics

CVE-2018-5968

high

Tenable Plugins

critical

critical

critical

critical

critical