SERVER-OTHER -- Snort has detected traffic exploiting vulnerabilities in a server in the network.
SERVER-OTHER Jackson databind deserialization remote code execution attempt
This event is generated when an authenticated remote attacker attempts to exploit a vulnerable version of FasterXML Jackson-Databind.
Allows unauthorized disclosure of information
The vulnerability is due to improper validation of maliciously crafted JSON handled by the readValue method of the ObjectMapper.
Ease of Attack:
What To Look For
No public information
No known false positives
Cisco Talos Intelligence Group
MITRE ATT&CK Framework
For reference, see the MITRE ATT&CK vulnerability types here:
CVE Additional Information
CVE-2017-17485FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
||Ease of Access||