RHSA-2017:3189: Important: rh-eclipse47-jackson-databind security update
The jackson-databind package provides general data-binding functionality for Jackson, which works on top of Jackson core streaming API.Security Fix(es): A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously. (CVE-2017-15095) Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting this issue.
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of RHSA-2017:3189?
The severity of RHSA-2017:3189 is classified as critical due to a deserialization flaw in the jackson-databind package.
How do I fix RHSA-2017:3189?
To fix RHSA-2017:3189, upgrade jackson-databind to version 2.7.6-3.3.el7 or later.
What causes the vulnerability in RHSA-2017:3189?
The vulnerability in RHSA-2017:3189 is caused by a deserialization flaw that could allow an unauthenticated user to execute arbitrary code.
Which software is affected by RHSA-2017:3189?
RHSA-2017:3189 affects the jackson-databind packages, specifically versions prior to 2.7.6-3.3.el7.
Is there a workaround for RHSA-2017:3189?
There are no reliable workarounds for RHSA-2017:3189, so upgrading the affected packages is recommended.