Vulnerability Name:

CVE-2017-17485 (CCN-137340)

Assigned:2017-12-10
Published:2018-01-09
Updated:2023-06-08
Summary:Jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the default-typing feature. An attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS v3 Severity:9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.8 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
9.8 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.8 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
10.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2017-17485

Source: CCN
Type: BugTraq Mailing List, Tue, 9 Jan 2018 09:23:02 +0100
CVE-2017-17485: one more way of rce in jackson-databind when defaultTyping+objects are used

Source: CCN
Type: IBM Security Bulletin 740849 (Rational Collaborative Lifecycle Management)
Security vulnerabilities affect multiple IBM Rational products based on IBM Jazz technology

Source: CCN
Type: IBM Security Bulletin 870976 (InfoSphere Data Replication)
IBM InfoSphere Change Data Capture is affected by a Jackson 2.3.3 and 2.4.4 open source library vulnerabilities

Source: CCN
Type: IBM Security Bulletin 2015305 (Business Automation Workflow)
Multiple vulnerabilities within Jackson JSON library affect IBM Business Automation Workflow (CVE-2017-17485, CVE-2018-5968, CVE-2018-7489)

Source: CCN
Type: IBM Security Bulletin 2016016 (InfoSphere Information Server)
Multiple vulnerabilities in Jackson-databind affect IBM InfoSphere Information Server

Source: cve@mitre.org
Type: Third Party Advisory, VDB Entry
cve@mitre.org

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: XF
Type: UNKNOWN
jacksondatabind-cve201717485-code-exec(137340)

Source: CCN
Type: jackson-databind GIT Repository
jackson-databind

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: CCN
Type: Packet Storm Security [01-10-2018]
Spring Jackson-Databind Default Typing Issue

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: CCN
Type: IBM Security Bulletin 885602 (PureApplication System)
Multiple vulnerabilities affect IBM PureApplication System

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: CCN
Type: IBM Security Bulletin 0872142 (Security Identity Governance and Intelligence)
IBM has announced a release for IBM Security Identity Governance and Intelligence in response to multiple security vulnerabilities

Source: CCN
Type: IBM Security Bulletin 2867997 (Rational Rhapsody Design Manager)
Security vulnerabilities affect multiple IBM Rational products based on IBM Jazz technology

Source: CCN
Type: IBM Security Bulletin 6217806 (Security Identity Governance and Intelligence)
IBM has announced a release for IBM Security Identity Governance and Intelligence in response to security vulnerabilities.

Source: CCN
Type: IBM Security Bulletin 6244628 (Rational Publishing Engine)
Third party vulnerable library Jackson-Databind affects IBM Engineering Lifecycle Optimization - Publishing

Source: CCN
Type: IBM Security Bulletin 6324739 (Security Guardium Insights)
IBM Security Guardium Insights is affected by Components with known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6335281 (Data Risk Manager)
IBM Data Risk Manager is affected by multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6340251 (Maximo Asset Management)
IBM Maximo Asset Management is vulnerable to Multiple Jackson-Databind CVEs - February 2020

Source: CCN
Type: IBM Security Bulletin 6348628 (Maximo Asset Management)
Multiple Vulnerabilities in Jackson Core affect IBM Maximo Asset Management

Source: CCN
Type: IBM Security Bulletin 6403331 (Security Guardium Data Encryption)
Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE)

Source: CCN
Type: IBM Security Bulletin 6452485 (InfoSphere Information Server)
IBM InfoSphere Information Server is affected by multiple vulnerabilities in Jackson databind

Source: CCN
Type: IBM Security Bulletin 6528214 (Cloud Pak for Multicloud Management)
IBM Cloud Pak for Multicloud Management Monitoring has patched several open source dependencies

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Vulnerable Configuration:Configuration CCN 1:
  • cpe:/a:fasterxml:jackson-databind:2.9.3:*:*:*:*:*:*:*
  • OR cpe:/a:fasterxml:jackson-databind:2.7.9.1:*:*:*:*:*:*:*
  • OR cpe:/a:fasterxml:jackson-databind:2.8.10:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:infosphere_information_server:11.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:5.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:5.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:maximo_asset_management:7.6.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:5.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_information_server:11.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_rhapsody_design_manager:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_rhapsody_design_manager:6.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_rhapsody_design_manager:6.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_rhapsody_design_manager:6.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:pureapplication_system:2.2.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:pureapplication_system:2.2.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:pureapplication_system:2.2.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:pureapplication_system:2.2.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_rhapsody_design_manager:6.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_rhapsody_design_manager:6.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:18.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:pureapplication_system:2.2.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:pureapplication_system:2.2.5.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:maximo_asset_management:7.6.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_rhapsody_design_manager:6.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_publishing_engine:6.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:pureapplication_system:2.2.5.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:pureapplication_system:2.2.5.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_data_replication:11.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_rhapsody_design_manager:6.0.6.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:data_risk_manager:2.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_publishing_engine:7.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium_insights:2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium_data_encryption:3.0.0.2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.ubuntu.xenial:def:2017174850000000
    V
    		CVE-2017-17485 on Ubuntu 16.04 LTS (xenial) - high.
    2018-01-10
    oval:com.ubuntu.artful:def:201717485000
    V
    		CVE-2017-17485 on Ubuntu 17.10 (artful) - high.
    2018-01-10
    oval:com.ubuntu.xenial:def:201717485000
    V
    		CVE-2017-17485 on Ubuntu 16.04 LTS (xenial) - high.
    2018-01-10
    oval:com.ubuntu.disco:def:2017174850000000
    V
    		CVE-2017-17485 on Ubuntu 19.04 (disco) - high.
    2018-01-10
    oval:com.ubuntu.bionic:def:201717485000
    V
    		CVE-2017-17485 on Ubuntu 18.04 LTS (bionic) - high.
    2018-01-10
    oval:com.ubuntu.cosmic:def:2017174850000000
    V
    		CVE-2017-17485 on Ubuntu 18.10 (cosmic) - high.
    2018-01-10
    oval:com.ubuntu.cosmic:def:201717485000
    V
    		CVE-2017-17485 on Ubuntu 18.10 (cosmic) - high.
    2018-01-10
    oval:com.ubuntu.bionic:def:2017174850000000
    V
    		CVE-2017-17485 on Ubuntu 18.04 LTS (bionic) - high.
    2018-01-10
    oval:com.ubuntu.trusty:def:201717485000
    V
    		CVE-2017-17485 on Ubuntu 14.04 LTS (trusty) - high.
    2018-01-10
    BACK
    fasterxml jackson-databind 2.9.3
    fasterxml jackson-databind 2.7.9.1
    fasterxml jackson-databind 2.8.10
    ibm infosphere information server 11.3
    ibm rational collaborative lifecycle management 5.0
    ibm rational collaborative lifecycle management 5.0.1
    ibm maximo asset management 7.6.0
    ibm rational collaborative lifecycle management 5.0.2
    ibm rational collaborative lifecycle management 6.0
    ibm infosphere information server 11.5
    ibm security identity governance and intelligence 5.2
    ibm rational collaborative lifecycle management 6.0.1
    ibm security identity governance and intelligence 5.2.1
    ibm rational collaborative lifecycle management 6.0.2
    ibm rational collaborative lifecycle management 6.0.3
    ibm rational rhapsody design manager 6.0
    ibm rational rhapsody design manager 6.0.1
    ibm rational rhapsody design manager 6.0.2
    ibm rational rhapsody design manager 6.0.3
    ibm pureapplication system 2.2.3.0
    ibm rational collaborative lifecycle management 6.0.4
    ibm pureapplication system 2.2.3.1
    ibm pureapplication system 2.2.3.2
    ibm pureapplication system 2.2.4.0
    ibm rational collaborative lifecycle management 6.0.5
    ibm rational rhapsody design manager 6.0.4
    ibm infosphere information server 11.7
    ibm rational rhapsody design manager 6.0.5
    ibm business automation workflow 18.0.0.0
    ibm pureapplication system 2.2.5.0
    ibm pureapplication system 2.2.5.1
    ibm security identity governance and intelligence 5.2.2
    ibm security identity governance and intelligence 5.2.2.1
    ibm security identity governance and intelligence 5.2.3
    ibm security identity governance and intelligence 5.2.3.1
    ibm security identity governance and intelligence 5.2.3.2
    ibm maximo asset management 7.6.1
    ibm security identity governance and intelligence 5.2.4
    ibm rational rhapsody design manager 6.0.6
    ibm rational collaborative lifecycle management 6.0.6
    ibm rational publishing engine 6.0.6
    ibm pureapplication system 2.2.5.2
    ibm pureapplication system 2.2.5.3
    ibm infosphere data replication 11.4
    ibm security identity governance and intelligence 5.2.4.1
    ibm rational rhapsody design manager 6.0.6.1
    ibm data risk manager 2.0.6
    ibm security identity governance and intelligence 5.2.6
    ibm rational publishing engine 7.0
    ibm security guardium insights 2.0.1
    ibm security guardium data encryption 3.0.0.2