CVE-2018-5968: High severity fasterxml jackson-databind vulnerability
Published Jan 18, 2018
·Updated
A deserialization flaw was discovered in the jackson-databind that could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaws CVE-2017-7525 and CVE-2017-17485 by blacklisting more classes that could be used maliciously.
Other sources
A flaw was found in FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 which allows unauthenticated remote code execution due to an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.
References: https://github.com/FasterXML/jackson-databind/issues/1899
Patch: https://github.com/FasterXML/jackson-databind/commit/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05
— Red Hat
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.
Affected Software
86 affected componentsFixes available
redhat/eap7-activemq-artemis<0:1.5.5.009-1.redhat_1.1.ep7.el6
0:1.5.5.009-1.redhat_1.1.ep7.el6
redhat/eap7-apache-cxf<0:3.1.13-1.redhat_1.1.ep7.el6
0:3.1.13-1.redhat_1.1.ep7.el6
redhat/eap7-glassfish-jsf<0:2.2.13-6.SP5_redhat_1.1.ep7.el6
0:2.2.13-6.SP5_redhat_1.1.ep7.el6
redhat/eap7-hibernate<0:5.1.12-1.Final_redhat_1.1.ep7.el6
0:5.1.12-1.Final_redhat_1.1.ep7.el6
redhat/eap7-infinispan<0:8.2.9-1.Final_redhat_1.1.ep7.el6
0:8.2.9-1.Final_redhat_1.1.ep7.el6
redhat/eap7-ironjacamar<0:1.4.7-1.Final_redhat_1.1.ep7.el6
0:1.4.7-1.Final_redhat_1.1.ep7.el6
redhat/eap7-jackson-annotations<0:2.8.11-1.redhat_1.1.ep7.el6
0:2.8.11-1.redhat_1.1.ep7.el6
redhat/eap7-jackson-core<0:2.8.11-1.redhat_1.1.ep7.el6
0:2.8.11-1.redhat_1.1.ep7.el6
redhat/eap7-jackson-databind<0:2.8.11-1.redhat_1.1.ep7.el6
0:2.8.11-1.redhat_1.1.ep7.el6
redhat/eap7-jackson-jaxrs-providers<0:2.8.11-1.redhat_1.1.ep7.el6
0:2.8.11-1.redhat_1.1.ep7.el6
redhat/eap7-jackson-module-jaxb-annotations<0:2.8.11-1.redhat_1.1.ep7.el6
0:2.8.11-1.redhat_1.1.ep7.el6
redhat/eap7-jackson-modules-java8<0:2.8.11-1.redhat_1.1.ep7.el6
0:2.8.11-1.redhat_1.1.ep7.el6
redhat/eap7-jboss-logmanager<0:2.0.8-1.Final_redhat_1.1.ep7.el6
0:2.0.8-1.Final_redhat_1.1.ep7.el6
redhat/eap7-jboss-server-migration<0:1.0.3-6.Final_redhat_6.1.ep7.el6
0:1.0.3-6.Final_redhat_6.1.ep7.el6
redhat/eap7-jbossws-cxf<0:5.1.10-1.Final_redhat_1.1.ep7.el6
0:5.1.10-1.Final_redhat_1.1.ep7.el6
redhat/eap7-narayana<0:5.5.31-1.Final_redhat_1.1.ep7.el6
0:5.5.31-1.Final_redhat_1.1.ep7.el6
redhat/eap7-picketlink-bindings<0:2.5.5-10.SP9_redhat_1.1.ep7.el6
0:2.5.5-10.SP9_redhat_1.1.ep7.el6
redhat/eap7-picketlink-federation<0:2.5.5-10.SP9_redhat_1.1.ep7.el6
0:2.5.5-10.SP9_redhat_1.1.ep7.el6
redhat/eap7-resteasy<0:3.0.25-1.Final_redhat_1.1.ep7.el6
0:3.0.25-1.Final_redhat_1.1.ep7.el6
redhat/eap7-undertow<0:1.4.18-4.SP2_redhat_1.1.ep7.el6
0:1.4.18-4.SP2_redhat_1.1.ep7.el6
redhat/eap7-undertow-jastow<0:2.0.3-1.Final_redhat_1.1.ep7.el6
0:2.0.3-1.Final_redhat_1.1.ep7.el6
redhat/eap7-wildfly<0:7.1.1-4.GA_redhat_2.1.ep7.el6
0:7.1.1-4.GA_redhat_2.1.ep7.el6
redhat/eap7-wildfly-elytron<0:1.1.8-1.Final_redhat_1.1.ep7.el6
0:1.1.8-1.Final_redhat_1.1.ep7.el6
redhat/eap7-wildfly-http-client<0:1.0.9-1.Final_redhat_1.1.ep7.el6
0:1.0.9-1.Final_redhat_1.1.ep7.el6
redhat/eap7-wildfly-javadocs<0:7.1.1-3.GA_redhat_2.1.ep7.el6
0:7.1.1-3.GA_redhat_2.1.ep7.el6
redhat/eap7-wss4j<0:2.1.11-1.redhat_1.1.ep7.el6
0:2.1.11-1.redhat_1.1.ep7.el6
redhat/eap7-xml-security<0:2.0.9-1.redhat_1.1.ep7.el6
0:2.0.9-1.redhat_1.1.ep7.el6
redhat/eap7-jboss-ec2-eap<0:7.1.1-3.1.GA_redhat_3.ep7.el6
0:7.1.1-3.1.GA_redhat_3.ep7.el6
redhat/eap7-activemq-artemis<0:1.5.5.009-1.redhat_1.1.ep7.el7
0:1.5.5.009-1.redhat_1.1.ep7.el7
redhat/eap7-apache-cxf<0:3.1.13-1.redhat_1.1.ep7.el7
0:3.1.13-1.redhat_1.1.ep7.el7
redhat/eap7-glassfish-jsf<0:2.2.13-6.SP5_redhat_1.1.ep7.el7
0:2.2.13-6.SP5_redhat_1.1.ep7.el7
redhat/eap7-hibernate<0:5.1.12-1.Final_redhat_1.1.ep7.el7
0:5.1.12-1.Final_redhat_1.1.ep7.el7
redhat/eap7-infinispan<0:8.2.9-1.Final_redhat_1.1.ep7.el7
0:8.2.9-1.Final_redhat_1.1.ep7.el7
redhat/eap7-ironjacamar<0:1.4.7-1.Final_redhat_1.1.ep7.el7
0:1.4.7-1.Final_redhat_1.1.ep7.el7
redhat/eap7-jackson-annotations<0:2.8.11-1.redhat_1.1.ep7.el7
0:2.8.11-1.redhat_1.1.ep7.el7
redhat/eap7-jackson-core<0:2.8.11-1.redhat_1.1.ep7.el7
0:2.8.11-1.redhat_1.1.ep7.el7
redhat/eap7-jackson-databind<0:2.8.11-1.redhat_1.1.ep7.el7
0:2.8.11-1.redhat_1.1.ep7.el7
redhat/eap7-jackson-jaxrs-providers<0:2.8.11-1.redhat_1.1.ep7.el7
0:2.8.11-1.redhat_1.1.ep7.el7
redhat/eap7-jackson-module-jaxb-annotations<0:2.8.11-1.redhat_1.1.ep7.el7
0:2.8.11-1.redhat_1.1.ep7.el7
redhat/eap7-jackson-modules-java8<0:2.8.11-1.redhat_1.1.ep7.el7
0:2.8.11-1.redhat_1.1.ep7.el7
redhat/eap7-jboss-logmanager<0:2.0.8-1.Final_redhat_1.1.ep7.el7
0:2.0.8-1.Final_redhat_1.1.ep7.el7
redhat/eap7-jboss-server-migration<0:1.0.3-6.Final_redhat_6.1.ep7.el7
0:1.0.3-6.Final_redhat_6.1.ep7.el7
redhat/eap7-jbossws-cxf<0:5.1.10-1.Final_redhat_1.1.ep7.el7
0:5.1.10-1.Final_redhat_1.1.ep7.el7
redhat/eap7-narayana<0:5.5.31-1.Final_redhat_1.1.ep7.el7
0:5.5.31-1.Final_redhat_1.1.ep7.el7
redhat/eap7-picketlink-bindings<0:2.5.5-10.SP9_redhat_1.1.ep7.el7
0:2.5.5-10.SP9_redhat_1.1.ep7.el7
redhat/eap7-picketlink-federation<0:2.5.5-10.SP9_redhat_1.1.ep7.el7
0:2.5.5-10.SP9_redhat_1.1.ep7.el7
redhat/eap7-resteasy<0:3.0.25-1.Final_redhat_1.1.ep7.el7
0:3.0.25-1.Final_redhat_1.1.ep7.el7
redhat/eap7-undertow<0:1.4.18-4.SP2_redhat_1.1.ep7.el7
0:1.4.18-4.SP2_redhat_1.1.ep7.el7
redhat/eap7-undertow-jastow<0:2.0.3-1.Final_redhat_1.1.ep7.el7
0:2.0.3-1.Final_redhat_1.1.ep7.el7
redhat/eap7-wildfly<0:7.1.1-4.GA_redhat_2.1.ep7.el7
0:7.1.1-4.GA_redhat_2.1.ep7.el7
redhat/eap7-wildfly-elytron<0:1.1.8-1.Final_redhat_1.1.ep7.el7
0:1.1.8-1.Final_redhat_1.1.ep7.el7
redhat/eap7-wildfly-http-client<0:1.0.9-1.Final_redhat_1.1.ep7.el7
0:1.0.9-1.Final_redhat_1.1.ep7.el7
redhat/eap7-wildfly-javadocs<0:7.1.1-3.GA_redhat_2.1.ep7.el7
0:7.1.1-3.GA_redhat_2.1.ep7.el7
redhat/eap7-wss4j<0:2.1.11-1.redhat_1.1.ep7.el7
0:2.1.11-1.redhat_1.1.ep7.el7
redhat/eap7-xml-security<0:2.0.9-1.redhat_1.1.ep7.el7
0:2.0.9-1.redhat_1.1.ep7.el7
redhat/eap7-jboss-ec2-eap<0:7.1.1-3.1.GA_redhat_3.ep7.el7
0:7.1.1-3.1.GA_redhat_3.ep7.el7
debian/jackson-databind<=2.9.1-1, <=2.8.6-1+deb9u2, <=2.4.2-2+deb8u2
2.9.4-12.8.6-1+deb9u32.4.2-2+deb8u3
debian/jackson-databind
2.9.8-3+deb10u32.9.8-3+deb10u52.12.1-1+deb11u12.14.0-1
maven/com.fasterxml.jackson.core:jackson-databind<2.7.9.5
2.7.9.5
maven/com.fasterxml.jackson.core:jackson-databind>=2.8.0<2.8.11
2.8.11.1
maven/com.fasterxml.jackson.core:jackson-databind>=2.9.0<2.9.4
2.9.4
fasterxml jackson-databind>=2.0.0<2.6.7.3
fasterxml jackson-databind>=2.7.0<2.7.9.2
fasterxml jackson-databind>=2.8.0<2.8.11.1
fasterxml jackson-databind>=2.9.0<2.9.4
Debian Debian Linux=8.0
Debian Debian Linux=9.0
redhat OpenShift Container Platform=4.1
redhat Virtualization=4.0
redhat Virtualization Host=4.0
redhat Enterprise Linux Server=7.0
redhat JBoss Enterprise Application Platform=7.1
redhat Enterprise Linux Server=6.0
redhat OpenShift Container Platform=3.11
NetApp E-Series SANtricity OS Controller>=11.0.0<=11.60.3
NetApp E-series Santricity Web Services Proxy
NetApp Oncommand Shift
All of the following
Any of the following
redhat OpenShift Container Platform=4.1
redhat Virtualization=4.0
redhat Virtualization Host=4.0
redhat Enterprise Linux Server=7.0
All of the following
redhat JBoss Enterprise Application Platform=7.1
Any of the following
redhat Enterprise Linux Server=6.0
redhat Enterprise Linux Server=7.0
redhat/jackson-databind<2.9.4
2.9.4
IBM InfoSphere Data Architect<=9.2.1
Event History
Jan 18, 2018
CVE Published
12:00 AM
Jan 22, 2018
CVE Published
via MITRE·04:00 AM
Data Sourced
via MITRE·04:00 AM
Description
Jan 24, 2018
Data Sourced
via Red Hat·08:31 PM
DescriptionSeverityAffected Software
Jun 30, 2020
Advisory Published
via GitHub·08:40 PM
Mar 4, 2026
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software
Parent advisories
This vulnerability appears in the following advisories.
Frequently Asked Questions
1
What is the severity of CVE-2018-5968?
CVE-2018-5968 is considered critical due to its potential for arbitrary code execution.
2
How do I fix CVE-2018-5968?
To remediate CVE-2018-5968, update the affected software packages to the recommended versions listed in the vulnerability advisory.
3
Which software is affected by CVE-2018-5968?
CVE-2018-5968 affects various Red Hat packages, including eap7-jackson-databind and others in the JBoss ecosystem.
4
Can CVE-2018-5968 be exploited remotely?
Yes, CVE-2018-5968 can be exploited by an unauthenticated user sending crafted input to vulnerable applications.
5
What type of vulnerability is CVE-2018-5968?
CVE-2018-5968 is a deserialization vulnerability in the Jackson Databind component.