Rule Category

SERVER-OTHER -- Snort has detected traffic exploiting vulnerabilities in a server in the network.

Alert Message

SERVER-OTHER Jackson databind deserialization remote code execution attempt

Rule Explanation

This event is generated when an authenticated remote attacker attempts to exploit a vulnerable version of FasterXML Jackson-Databind. Impact: Allows unauthorized disclosure of information Details: The vulnerability is due to improper validation of maliciously crafted JSON handled by the readValue method of the ObjectMapper. Ease of Attack: Simple

What To Look For

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

MITRE ATT&CK Framework

Tactic:

Technique:

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org

CVE

Additional Links

Rule Vulnerability

CVE Additional Information

CVE-2017-17485
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
Details
Severity Base Score
Impact Score Exploit Score
Confidentiality Impact Integrity Impact
Availability Impact Access Vector
Authentication Ease of Access