FasterXML jackson-databind Vulnerability (CVE-2018-7489)

  • 7022869
  • 19-Apr-2018
  • 30-May-2018

Environment

Reflection for Secure IT Gateway 1.1 SP1 (1.1.1.1068)
Reflection ZFE 2.2.2 or earlier
Host Access Management and Security Server (MSS) 12.4.14 or earlier

Situation

Certain versions of the Jackson library (jackson-databind) allow unauthenticated remote code execution (RCE), exploitable by maliciously crafted JSON input.

Resolution

This issue is resolved in new product releases that include an updated Jackson library (version 2.8.11.1 and higher, 2.9.5 and higher). Product updates are available to maintained customers from the Downloads website:
  • Reflection for Secure IT: Issue is resolved beginning in product version 1.1 SP1 U1 (1.1.1.1077), released April 2018.
  • Reflection ZFE: Issue is resolved beginning in version 2.2.3, released May 2018, which includes Host Access Management and Security Server 12.4.15.006 with Jackson library version 2.9.5.

Status

Security Alert

Additional Information

https://nvd.nist.gov/vuln/detail/CVE-2018-7489
On 30-May-2018, this published document contained incorrect affected version information; it was corrected later the same day.