NVD脆弱性詳細

CVE-2018-12022

概要	An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
公表日	2019年3月22日1:00
登録日	2021年3月1日18:48
最終更新日	2024年11月21日12:44

CVSS3.1 : HIGH
スコア	7.5
ベクター	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	高
攻撃に必要な特権レベル(PR)	不要
利用者の関与(UI)	要
影響の想定範囲(S)	変更なし
機密性への影響(C)	高
完全性への影響(I)	高
可用性への影響(A)	高

CVSS2.0 : MEDIUM
スコア	5.1
ベクター	AV:N/AC:H/Au:N/C:P/I:P/A:P
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	高
攻撃前の認証要否(Au)	不要
機密性への影響(C)	低
完全性への影響(I)	低
可用性への影響(A)	低
全ての特権を取得	いいえ
ユーザー権限を取得	いいえ
その他の権限を取得	いいえ
ユーザー操作が必要	いいえ

影響を受けるソフトウェアの構成

構成1	以上	以下	より上	未満
cpe:2.3:a:fasterxml:jackson-databind::::::::	2.7.0			2.7.9.4
cpe:2.3:a:fasterxml:jackson-databind::::::::	2.8.0			2.8.11.2
cpe:2.3:a:fasterxml:jackson-databind::::::::	2.9.0			2.9.6
cpe:2.3:a:fasterxml:jackson-databind::::::::	2.0.0			2.6.7.3

構成2	以上	以下	より上	未満
cpe:2.3:o:debian:debian_linux:9.0:::::::*
cpe:2.3:o:fedoraproject:fedora:29:::::::*

構成3	以上	以下	より上	未満
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:::::::*
cpe:2.3:a:oracle:retail_merchandising_system:15.0:::::::*

構成4	以上	以下	より上	未満
cpe:2.3:a:redhat:openshift_container_platform:3.11:::::::*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2.0:::::::*
cpe:2.3:a:redhat:single_sign-on:7.3:::::::*
cpe:2.3:a:redhat:jboss_brms:6.4.10:::::::*
cpe:2.3:a:redhat:automation_manager:7.3.1:::::::*
cpe:2.3:a:redhat:decision_manager:7.3.1:::::::*

関連情報、対策とツール

No	URL	タグ
1	http://www.securityfocus.com/bid/107585	Third Party Advisory VDB Entry
2	http://www.securityfocus.com/bid/107585	Third Party Advisory VDB Entry
3	https://access.redhat.com/errata/RHBA-2019:0959	Third Party Advisory
4	https://access.redhat.com/errata/RHBA-2019:0959	Third Party Advisory
5	https://access.redhat.com/errata/RHSA-2019:0782	Third Party Advisory
6	https://access.redhat.com/errata/RHSA-2019:0782	Third Party Advisory
7	https://access.redhat.com/errata/RHSA-2019:0877	Third Party Advisory
8	https://access.redhat.com/errata/RHSA-2019:0877	Third Party Advisory
9	https://access.redhat.com/errata/RHSA-2019:1106	Third Party Advisory
10	https://access.redhat.com/errata/RHSA-2019:1106	Third Party Advisory
11	https://access.redhat.com/errata/RHSA-2019:1107	Third Party Advisory
12	https://access.redhat.com/errata/RHSA-2019:1107	Third Party Advisory
13	https://access.redhat.com/errata/RHSA-2019:1108	Third Party Advisory
14	https://access.redhat.com/errata/RHSA-2019:1108	Third Party Advisory
15	https://access.redhat.com/errata/RHSA-2019:1140	Third Party Advisory
16	https://access.redhat.com/errata/RHSA-2019:1140	Third Party Advisory
17	https://access.redhat.com/errata/RHSA-2019:1782	Third Party Advisory
18	https://access.redhat.com/errata/RHSA-2019:1782	Third Party Advisory
19	https://access.redhat.com/errata/RHSA-2019:1797	Third Party Advisory
20	https://access.redhat.com/errata/RHSA-2019:1797	Third Party Advisory
21	https://access.redhat.com/errata/RHSA-2019:1822	Third Party Advisory
22	https://access.redhat.com/errata/RHSA-2019:1822	Third Party Advisory
23	https://access.redhat.com/errata/RHSA-2019:1823	Third Party Advisory
24	https://access.redhat.com/errata/RHSA-2019:1823	Third Party Advisory
25	https://access.redhat.com/errata/RHSA-2019:2804	Third Party Advisory
26	https://access.redhat.com/errata/RHSA-2019:2804	Third Party Advisory
27	https://access.redhat.com/errata/RHSA-2019:2858	Third Party Advisory
28	https://access.redhat.com/errata/RHSA-2019:2858	Third Party Advisory
29	https://access.redhat.com/errata/RHSA-2019:3002	Third Party Advisory
30	https://access.redhat.com/errata/RHSA-2019:3002	Third Party Advisory
31	https://access.redhat.com/errata/RHSA-2019:3140	Third Party Advisory
32	https://access.redhat.com/errata/RHSA-2019:3140	Third Party Advisory
33	https://access.redhat.com/errata/RHSA-2019:3149	Third Party Advisory
34	https://access.redhat.com/errata/RHSA-2019:3149	Third Party Advisory
35	https://access.redhat.com/errata/RHSA-2019:3892	Third Party Advisory
36	https://access.redhat.com/errata/RHSA-2019:3892	Third Party Advisory
37	https://access.redhat.com/errata/RHSA-2019:4037	Third Party Advisory
38	https://access.redhat.com/errata/RHSA-2019:4037	Third Party Advisory
39	https://bugzilla.redhat.com/show_bug.cgi?id=1671098	Issue Tracking Third Party Advisory
40	https://bugzilla.redhat.com/show_bug.cgi?id=1671098	Issue Tracking Third Party Advisory
41	https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a	Patch Third Party Advisory
42	https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a	Patch Third Party Advisory
43	https://github.com/FasterXML/jackson-databind/issues/2052	Patch Third Party Advisory
44	https://github.com/FasterXML/jackson-databind/issues/2052	Patch Third Party Advisory
45	https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
46	https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
47	https://lists.apache.org/thread.html/7fcf88aff0d1deaa5c3c7be8d58c05ad7ad5da94b59065d8e7c50c5d%40%3Cissues.lucene.apache.org%3E
48	https://lists.apache.org/thread.html/7fcf88aff0d1deaa5c3c7be8d58c05ad7ad5da94b59065d8e7c50c5d%40%3Cissues.lucene.apache.org%3E
49	https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
50	https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
51	https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
52	https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
53	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZEDLDUYBSTDY4GWDBUXGJNS2RFYTFVRC/
54	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZEDLDUYBSTDY4GWDBUXGJNS2RFYTFVRC/
55	https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
56	https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
57	https://seclists.org/bugtraq/2019/May/68	Mailing List Third Party Advisory
58	https://seclists.org/bugtraq/2019/May/68	Mailing List Third Party Advisory
59	https://security.netapp.com/advisory/ntap-20190530-0003/	Third Party Advisory
60	https://security.netapp.com/advisory/ntap-20190530-0003/	Third Party Advisory
61	https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf	Technical Description Third Party Advisory
62	https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf	Technical Description Third Party Advisory
63	https://www.debian.org/security/2019/dsa-4452	Third Party Advisory
64	https://www.debian.org/security/2019/dsa-4452	Third Party Advisory
65	https://www.oracle.com/security-alerts/cpuapr2020.html	Third Party Advisory
66	https://www.oracle.com/security-alerts/cpuapr2020.html	Third Party Advisory
67	https://www.oracle.com/security-alerts/cpuoct2020.html	Third Party Advisory
68	https://www.oracle.com/security-alerts/cpuoct2020.html	Third Party Advisory
69	https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html	Patch Third Party Advisory
70	https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html	Patch Third Party Advisory
71	https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html	Patch Third Party Advisory
72	https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html	Patch Third Party Advisory

共通脆弱性一覧

No	CWE	名前	URL
1	CWE-502	信頼性のないデータのデシリアライゼーション	https://cwe.mitre.org/data/definitions/502.html

JVN脆弱性情報

FasterXML jackson-databind における信頼性のないデータのデシリアライゼーションに関する脆弱性

タイトル	FasterXML jackson-databind における信頼性のないデータのデシリアライゼーションに関する脆弱性
概要	FasterXML jackson-databind には、信頼性のないデータのデシリアライゼーションに関する脆弱性が存在します。
想定される影響	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
対策	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
公表日	2018年6月8日0:00
登録日	2019年4月16日10:47
最終更新日	2019年4月16日10:47

影響を受けるシステム

Fedora Project

Fedora

FasterXML, LLC

Jackson-databind 2.7.9.4 未満

Jackson-databind 2.8.11.2 未満

Jackson-databind 2.9.6 未満

Jackson-databind 2.7.9.4 未満

Jackson-databind 2.8.11.2 未満

Jackson-databind 2.9.6 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	名前	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2018-12022	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12022
2	CVE-2018-12022	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12022
GitHub
3	CVE-2018-12022: Block polymorphic deserialization of types from Jodd-db library #2052	https://github.com/FasterXML/jackson-databind/issues/2052
4	CVE-2018-12022: Block polymorphic deserialization of types from Jodd-db library #2052	https://github.com/FasterXML/jackson-databind/issues/2052
National Vulnerability Database (NVD)
5	CVE-2018-12022	https://nvd.nist.gov/vuln/detail/CVE-2018-12022
6	CVE-2018-12022	https://nvd.nist.gov/vuln/detail/CVE-2018-12022

CWE (共通脆弱性タイプ一覧)

No	名前	URL
JVNDB
1	CWE-502	https://cwe.mitre.org/data/definitions/502.html
2	CWE-502	https://cwe.mitre.org/data/definitions/502.html

ベンダー情報

No	名前	URL
Fedora Project
1	FEDORA-2019-df57551f6d	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZEDLDUYBSTDY4GWDBUXGJNS2RFYTFVRC/
2	FEDORA-2019-df57551f6d	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZEDLDUYBSTDY4GWDBUXGJNS2RFYTFVRC/
GitHub
3	Backport #2052, #2058 fixes for 2.7.9.4	https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a
4	Backport #2052, #2058 fixes for 2.7.9.4	https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a

変更履歴

No	変更内容	変更日
1	[2019年04月16日] 掲載	2019年4月16日10:47
1	[2019年04月16日] 掲載	2019年4月16日10:47

構成4	以上	以下	より上	未満
cpe:2.3:a:redhat:openshift_container_platform:3.11:::::::*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2.0:::::::*
cpe:2.3:a:redhat:single_sign-on:7.3:::::::*
cpe:2.3:a:redhat:jboss_brms:6.4.10:::::::*
cpe:2.3:a:redhat:automation_manager:7.3.1:::::::*
cpe:2.3:a:redhat:decision_manager:7.3.1:::::::*