FasterXML jackson-databind Vulnerability (CVE-2018-7489)

  • 7022869
  • 19-Apr-2018
  • 30-May-2018


Reflection for Secure IT Gateway 1.1 SP1 (
Reflection ZFE 2.2.2 or earlier
Host Access Management and Security Server (MSS) 12.4.14 or earlier


Certain versions of the Jackson library (jackson-databind) allow unauthenticated remote code execution (RCE), exploitable by maliciously crafted JSON input.


This issue is resolved in new product releases that include an updated Jackson library (version and higher, 2.9.5 and higher). Product updates are available to maintained customers from the Downloads website:
  • Reflection for Secure IT: Issue is resolved beginning in product version 1.1 SP1 U1 (, released April 2018.
  • Reflection ZFE: Issue is resolved beginning in version 2.2.3, released May 2018, which includes Host Access Management and Security Server with Jackson library version 2.9.5.


Security Alert

Additional Information
On 30-May-2018, this published document contained incorrect affected version information; it was corrected later the same day.