Environment
Reflection
for Secure IT Gateway 1.1 SP1 (1.1.1.1068)
Reflection ZFE 2.2.2 or earlier
Host Access Management and Security Server (MSS) 12.4.14 or earlier
Situation
Certain versions of the Jackson library (jackson-databind) allow unauthenticated remote code execution (RCE), exploitable by maliciously crafted JSON input.
Resolution
This issue is resolved in new product releases that include an updated Jackson library (version 2.8.11.1 and higher, 2.9.5 and higher). Product updates are available to maintained customers from the Downloads website:
- Reflection for Secure IT: Issue is resolved beginning in product version 1.1 SP1 U1 (1.1.1.1077), released April 2018.
- Reflection ZFE: Issue is resolved beginning in version 2.2.3, released May 2018, which includes Host Access Management and Security Server 12.4.15.006 with Jackson library version 2.9.5.
Status
Security AlertAdditional Information
https://nvd.nist.gov/vuln/detail/CVE-2018-7489
On 30-May-2018, this published document contained incorrect affected version information; it was corrected later the same day.