Issued:
2017-07-31
Updated:
2017-07-31

RHSA-2017:1840 - Security Advisory

Synopsis

Important: devtoolset-4-jackson-databind security update

Type/Severity

Security Advisory: Important

Topic

An update for devtoolset-4-jackson-databind is now available for Red Hat Software Collections.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The jackson-databind package provides general data-binding functionality for Jackson, which works on top of Jackson core streaming API.

Security Fix(es):

  • A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525)

Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting this issue.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.5 x86_64
  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.4 x86_64
  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.3 x86_64
  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86_64
  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 6.7 x86_64
  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 6 x86_64
  • Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86_64
  • Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 6 x86_64

Fixes

  • BZ - 1462702 - CVE-2017-7525 jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper

CVEs

References

Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.5

SRPM
devtoolset-4-jackson-databind-2.5.0-2.4.el7.src.rpm SHA-256: 759c97f07d68b86ddead80d77d1ac20a50b961f4d687674a6447a30329d88eb8
x86_64
devtoolset-4-jackson-databind-2.5.0-2.4.el7.noarch.rpm SHA-256: e5a49c3df0857f13aa28a7e32a651254342f92b5a6250b67dfaa9bc5088b982e
devtoolset-4-jackson-databind-javadoc-2.5.0-2.4.el7.noarch.rpm SHA-256: 3f61a105f2252584b0db4fa2d93a76129fd75c3d563b3d690d82ef6769de4c80

Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.4

SRPM
devtoolset-4-jackson-databind-2.5.0-2.4.el7.src.rpm SHA-256: 759c97f07d68b86ddead80d77d1ac20a50b961f4d687674a6447a30329d88eb8
x86_64
devtoolset-4-jackson-databind-2.5.0-2.4.el7.noarch.rpm SHA-256: e5a49c3df0857f13aa28a7e32a651254342f92b5a6250b67dfaa9bc5088b982e
devtoolset-4-jackson-databind-javadoc-2.5.0-2.4.el7.noarch.rpm SHA-256: 3f61a105f2252584b0db4fa2d93a76129fd75c3d563b3d690d82ef6769de4c80

Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.3

SRPM
devtoolset-4-jackson-databind-2.5.0-2.4.el7.src.rpm SHA-256: 759c97f07d68b86ddead80d77d1ac20a50b961f4d687674a6447a30329d88eb8
x86_64
devtoolset-4-jackson-databind-2.5.0-2.4.el7.noarch.rpm SHA-256: e5a49c3df0857f13aa28a7e32a651254342f92b5a6250b67dfaa9bc5088b982e
devtoolset-4-jackson-databind-javadoc-2.5.0-2.4.el7.noarch.rpm SHA-256: 3f61a105f2252584b0db4fa2d93a76129fd75c3d563b3d690d82ef6769de4c80

Red Hat Software Collections (for RHEL Server) 1 for RHEL 7

SRPM
devtoolset-4-jackson-databind-2.5.0-2.4.el7.src.rpm SHA-256: 759c97f07d68b86ddead80d77d1ac20a50b961f4d687674a6447a30329d88eb8
x86_64
devtoolset-4-jackson-databind-2.5.0-2.4.el7.noarch.rpm SHA-256: e5a49c3df0857f13aa28a7e32a651254342f92b5a6250b67dfaa9bc5088b982e
devtoolset-4-jackson-databind-javadoc-2.5.0-2.4.el7.noarch.rpm SHA-256: 3f61a105f2252584b0db4fa2d93a76129fd75c3d563b3d690d82ef6769de4c80

Red Hat Software Collections (for RHEL Server) 1 for RHEL 6.7

SRPM
devtoolset-4-jackson-databind-2.5.0-2.4.el6.src.rpm SHA-256: bd9e31aa715f292ef5bede3149ed9a0dc1e234967168a1ca56d34018fb4fbe49
x86_64
devtoolset-4-jackson-databind-2.5.0-2.4.el6.noarch.rpm SHA-256: 0c69501d0f8a5b8da1a9ca8ee00513bd173150f327afadda7c1c613977f393a0
devtoolset-4-jackson-databind-javadoc-2.5.0-2.4.el6.noarch.rpm SHA-256: 331ea0627587577cf6f714d19b13afa599a189f1fe94944272d75d1a10815ddd

Red Hat Software Collections (for RHEL Server) 1 for RHEL 6

SRPM
devtoolset-4-jackson-databind-2.5.0-2.4.el6.src.rpm SHA-256: bd9e31aa715f292ef5bede3149ed9a0dc1e234967168a1ca56d34018fb4fbe49
x86_64
devtoolset-4-jackson-databind-2.5.0-2.4.el6.noarch.rpm SHA-256: 0c69501d0f8a5b8da1a9ca8ee00513bd173150f327afadda7c1c613977f393a0
devtoolset-4-jackson-databind-javadoc-2.5.0-2.4.el6.noarch.rpm SHA-256: 331ea0627587577cf6f714d19b13afa599a189f1fe94944272d75d1a10815ddd

Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7

SRPM
devtoolset-4-jackson-databind-2.5.0-2.4.el7.src.rpm SHA-256: 759c97f07d68b86ddead80d77d1ac20a50b961f4d687674a6447a30329d88eb8
x86_64
devtoolset-4-jackson-databind-2.5.0-2.4.el7.noarch.rpm SHA-256: e5a49c3df0857f13aa28a7e32a651254342f92b5a6250b67dfaa9bc5088b982e
devtoolset-4-jackson-databind-javadoc-2.5.0-2.4.el7.noarch.rpm SHA-256: 3f61a105f2252584b0db4fa2d93a76129fd75c3d563b3d690d82ef6769de4c80

Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 6

SRPM
devtoolset-4-jackson-databind-2.5.0-2.4.el6.src.rpm SHA-256: bd9e31aa715f292ef5bede3149ed9a0dc1e234967168a1ca56d34018fb4fbe49
x86_64
devtoolset-4-jackson-databind-2.5.0-2.4.el6.noarch.rpm SHA-256: 0c69501d0f8a5b8da1a9ca8ee00513bd173150f327afadda7c1c613977f393a0
devtoolset-4-jackson-databind-javadoc-2.5.0-2.4.el6.noarch.rpm SHA-256: 331ea0627587577cf6f714d19b13afa599a189f1fe94944272d75d1a10815ddd

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.