IBM Support

Security Bulletin: Public disclosed vulnerabilities from Jackson-databind affects IBM Spectrum LSF

Created by Ji Shan Xing on
Published URL:
https://www.ibm.com/support/pages/node/874268
874268

Security Bulletin


Summary

Public disclosed vulnerabilities from Jackson-databind affects IBM Spectrum LSF: CVE-2017-7525, CVE-2017-15095, CVE-2017-17485, CVE-2018-5968, CVE-2018-7489

Vulnerability Details

CVE-2017-7525
Jackson-databind (Also implemented in JBoss BPM Suite) is vulnerable to remote code execution when deserializing via the `readValue()` method of `ObjectMapper`.

CVE-2017-15095
An unauthenticated attacker can create a specially crafted payload that when deserialized in `Jackson-databind` can lead to Code Execution.

CVE-2017-17485
Deserialization of untrusted user data in Jackson Databind could allow an attacker to perform PHP Object Injection resulting in Remote Code Execution. This issue exists because of an incomplete fix for CVE-2017-7525 which the vendor tried to address through an incomplete blocklist.

CVE-2018-5968
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blocklist.

CVE-2018-7489
FasterXML jackson-databind contains a remote code execution (*RCE*) vulnerability due to an incomplete fix for the CVE-2017-7525 deserialization flaw. An unauthenticated attacker can exploit this vulnerability via `readValue` method to execute arbitrary code.

Affected Products and Versions

IBM Spectrum LSF 10.0.0.4
IBM Spectrum LSF 10.0.0.5
IBM Spectrum LSF 10.0.0.6
IBM Spectrum LSF 10.0.0.7
 

Remediation/Fixes

Product

VRMF

APAR

Remediation / First Fix

LSF

10.1.0.4

None

See fix below

LSF

10.1.0.5

None

See fix below

LSF

10.1.0.6

None

See fix below

LSF

10.1.0.7

None

See fix below

Download Fix 512358 from the following location:
http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+LSF&release=All&platform=All&function=fixId&fixids=lsf-10.1-build512358&includeSupersedes=0

1) Go to the patch install directory: cd $LSF_ENVDIR/../10.1/install/

2) Copy the patch file to the install directory $LSF_ENVDIR/../10.1/install/

3) Run patchinstall: ./patchinstall <patch>

4) Run "badmin mbdrestart"

Workarounds and Mitigations

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

28 February 2019: Original version created

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Internal Use Only

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSETD4","label":"Platform LSF"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
01 March 2019

UID

ibm10874268

Page Feedback