Jackson Deserialization Vulnerability (CVE-2017-17485)

  • 7022775
  • 24-Mar-2018
  • 30-May-2018

Environment

Verastream Host Integrator version 7.7 through 7.7.34
Reflection ZFE 2.2.1.9 or earlier
Host Access Management and Security Server 12.4.13 or earlier

Situation

Certain versions of the Jackson library (jackson-databind) allow unauthenticated remote code execution (RCE), exploitable by maliciously crafted JSON input.

Resolution

This issue is addressed in newer product releases that include an updated Jackson library (version 2.9.4 or higher). Product updates are available to maintained customers from the Downloads website:

  • Host Access Management and Security Server (MSS): Issue is resolved beginning in version 12.4.14.008, released March 2017.
  • Reflection ZFE: Issue is resolved beginning in version 2.2.2, released March 2017, which includes Host Access Management and Security Server 12.4.14.008.
  • Verastream Host Integrator (VHI): Issue is resolved beginning in 7.7 SP1 (version 7.7.1031 or 7.7.1.1031), released March 2017.

Status

Security Alert

Additional Information

Feedback service temporarily unavailable. For content questions or problems, please contact Support.