CVE-2017-15095

Name of the Vulnerable Software and Affected Versions: jackson-databind versions prior to 2.8.11 and 2.9.4 debian linux (affected versions not specified) fasterxml jackson-databind (affected versions not specified) netapp oncommand balance (affected versions not specified) netapp oncommand performance manager (affected versions not specified) netapp oncommand shift (affected versions not specified) netapp snapcenter (affected versions not specified) oracle banking platform (affected versions not specified) oracle clusterware (affected versions not specified) oracle communications billing and revenue management (affected versions not specified) oracle communications diameter signaling router (affected versions not specified) oracle communications instant messaging server (affected versions not specified) oracle database server (affected versions not specified) oracle enterprise manager for virtualization (affected versions not specified) oracle financial services analytical applications infrastructure (affected versions not specified) oracle global lifecycle management opatchauto (affected versions not specified) oracle identity manager (affected versions not specified) oracle jd edwards enterpriseone tools (affected versions not specified) oracle primavera unifier (affected versions not specified) oracle utilities advanced spatial and operational analytics (affected versions not specified) oracle webcenter portal (affected versions not specified) redhat jboss enterprise application platform (affected versions not specified) redhat openshift container platform (affected versions not specified) redhat satellite (affected versions not specified) redhat satellite capsule (affected versions not specified)

Description: A deserialization flaw was discovered in the jackson-databind, which could allow an unauthenticated user to perform code execution by sending maliciously crafted input to the readValue method of the ObjectMapper. This issue extends a previous flaw by blacklisting more classes that could be used maliciously.

Recommendations: For jackson-databind versions prior to 2.8.11 and 2.9.4, update to version 2.8.11 or 2.9.4 or later. For other affected products, at the moment, there is no information about a newer version that contains a fix for this vulnerability.