Jackson Deserialization Vulnerability (CVE-2017-17485)

Document ID:7022775
Creation Date:24-Mar-2018
Modified Date:30-May-2018
- Micro Focus Products:
  Host Access for the Cloud (Reflection ZFE)
  Host Access Management and Security Server (MSS)
  Verastream Host Integrator (VHI)

Environment

Verastream Host Integrator version 7.7 through 7.7.34
Reflection ZFE 2.2.1.9 or earlier
Host Access Management and Security Server 12.4.13 or earlier

Situation

Certain versions of the Jackson library (jackson-databind) allow unauthenticated remote code execution (RCE), exploitable by maliciously crafted JSON input.

Resolution

This issue is addressed in newer product releases that include an updated Jackson library (version 2.9.4 or higher). Product updates are available to maintained customers from the Downloads website:

Host Access Management and Security Server (MSS): Issue is resolved beginning in version 12.4.14.008, released March 2017.
Reflection ZFE: Issue is resolved beginning in version 2.2.2, released March 2017, which includes Host Access Management and Security Server 12.4.14.008.
Verastream Host Integrator (VHI): Issue is resolved beginning in 7.7 SP1 (version 7.7.1031 or 7.7.1.1031), released March 2017.

Status

Security Alert

Additional Information

https://nvd.nist.gov/vuln/detail/CVE-2017-17485
See also KB 7022869 regarding related CVE-2018-7489