Jackson Deserialization Vulnerability (CVE-2017-17485)

  • 7022775
  • 24-Mar-2018
  • 30-May-2018


Verastream Host Integrator version 7.7 through 7.7.34
Reflection ZFE or earlier
Host Access Management and Security Server 12.4.13 or earlier


Certain versions of the Jackson library (jackson-databind) allow unauthenticated remote code execution (RCE), exploitable by maliciously crafted JSON input.


This issue is addressed in newer product releases that include an updated Jackson library (version 2.9.4 or higher). Product updates are available to maintained customers from the Downloads website:

  • Host Access Management and Security Server (MSS): Issue is resolved beginning in version, released March 2017.
  • Reflection ZFE: Issue is resolved beginning in version 2.2.2, released March 2017, which includes Host Access Management and Security Server
  • Verastream Host Integrator (VHI): Issue is resolved beginning in 7.7 SP1 (version 7.7.1031 or, released March 2017.


Security Alert

Additional Information