RHSA-2017:1839: Important: rh-eclipse46-jackson-databind security update
The jackson-databind package provides general data-binding functionality for Jackson, which works on top of Jackson core streaming API.<br>Security Fix(es):<br><li> A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525)</li> Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting this issue.
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of RHSA-2017:1839?
The severity of RHSA-2017:1839 is classified as critical due to a deserialization flaw that could allow for remote code execution.
How do I fix RHSA-2017:1839?
To fix RHSA-2017:1839, update the jackson-databind package to version 2.6.3-2.3.el7 or later.
What products are affected by RHSA-2017:1839?
Affected products include rh-eclipse46-jackson-databind and its javadoc package versions prior to 2.6.3-2.3.el7.
Can I mitigate the risks associated with RHSA-2017:1839 without an update?
No, the best mitigation against the vulnerabilities in RHSA-2017:1839 is to apply the recommended update as soon as possible.
Are there any known exploits for RHSA-2017:1839?
Yes, potential exploits for RHSA-2017:1839 may allow attackers to execute arbitrary code via the deserialization flaw.