SERVER-OTHER -- Snort has detected traffic exploiting vulnerabilities in a server in the network.
SERVER-OTHER Jackson databind deserialization remote code execution attempt
This event is generated when an authenticated remote attacker attempts to exploit a vulnerable version of FasterXML Jackson-Databind. Impact: Allows unauthorized disclosure of information Details: The vulnerability is due to improper validation of maliciously crafted JSON handled by the readValue method of the ObjectMapper. Ease of Attack: Simple
No public information
No known false positives
Cisco Talos Intelligence Group
Tactic:
Technique:
For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org
CVE-2017-17485FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath. |
|