CVE-2017-4995
It was found that spring security uses Jackson's enableDefaultTyping() polymorphic capability for object deserialization. Jackson has already addressed this issue by blacklisting well-known gadget classes. However, under a right circumstances (e.g. an existence of an old JDK and vulnerable Jackson in classpath), an attacker could use this vulnerability to craft a malicious payload which would be deserialized by Jackson via spring security. This execution could potentially lead to remote code execution on the target machine.
Find out more about CVE-2017-4995 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS v3 metrics
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
| CVSS3 Base Score | 8.1 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Attack Vector | Network |
| Attack Complexity | High |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity Impact | High |
| Availability Impact | High |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat OpenStack Platform 9.0 | opendaylight | Under investigation |
| Red Hat OpenStack Platform 12.0 | opendaylight | Under investigation |
| Red Hat OpenStack Platform 11.0 (Ocata) | opendaylight | Under investigation |
| Red Hat OpenStack Platform 10 | opendaylight | Under investigation |
| Red Hat JBoss Fuse 6 | Camel | Not affected |