TB043 CVE-2017-15095 (jackson-databind package) Evaluation

Alert Type

Security

Overview

CVE-2017-15095 and the earlier CVE-2017-7525 both concern vulnerabilities in versions of  the jackson-databind package prior to version 2.9.2. The jackson-databind package is a component of the Jackson JSON library for Java. Both vulnerabilities may present potential problems when using the global polymorphic deserialization feature of the jackson-databind package. If exploited, the vulnerabilities allow for arbitrary execution of code on servers.

Analysis

Delphix uses and co-packages version 2.6.4 of the Jackson library, including the jackson-databind package. Although all versions of the Jackson library older than 2.9.2 have been identified as susceptible to the referenced vulnerabilities, Delphix products are not vulnerable because they do not use the global polymorphic deserialization feature of the library. This means that under no circumstances could an exploit be fashioned that would allow arbitrary server code execution in Delphix resulting from the referenced vulnerabilities.

The Delphix Masking feature internally uses Jackson version 2.8.6. As with the Delphix Dynamic Data Platform product, it does not use affected features of the Jackson library and thus is not susceptible to the cited vulnerabilities.

Delphix uses the Jackson library to serialize and deserialize JSON data that is used in API calls to the Delphix Engine. These calls can be used by Delphix software components on Source Environments, Target Environments, and on the Delphix Platform itself. The calls are also available to be used for end-user applications. Delphix software components on Source and Target environments may co-package the Jackson library on customer servers that use Delphix. Although the Delphix components are not vulnerable, other applications that discover and use these co-packaged libraries could be vulnerable. Delphix co-packages the Jackson library in the Delphix Connector, a component that is used on Windows Server target environments (hosts).

The vulnerable global polymorphic deserialization feature of Jackson is disabled by default. It can only be enabled by one of three methods:

• Enabling globally by calling ObjectMapper->enableDefaultTyping()

• Use of a custom TypeResolverBuilder

• Locally using the @JsonTypeInfo annotation on a field.

No Delphix components in either the Data Platform or Masking products utilize any of these methods.

Delphix does use polymorphism with explicitly specified subtypes. This is the recommended remediation by the authors discovering the vulnerability.

Remediation

Because Delphix is not susceptible to the cited vulnerability, no remediation is necessary.

Delphix will update the Jackson libraries co-packaged with its products using the latest stable release of Jackson.  This update is in the Delphix 5.2.3.0 release.

Additional Information

FasterXML/Jackson: a standard JSON library for Java (external link)

CVE-2017-17485 (external link)

“Java Unmarshaller Security: Turning your data into code education”, Bechler, Moritz, May 22, 2017(external link)

Jackson Issue #1599: Jackson Deserializer security vulnerability via default typing (external link)

Jackson Issue #1680: Denylist could more types for deserialization (external link)

Jackson Issue #1855: Denylist for more serialization gadgets (dbcp/tomcat, spring) (external link)

Jackson Issue #1723: Deserialization vulnerability via readValue method of ObjectMapper (external link)

Jackson Issue #1737: Block more JDK types from polymorphic deserialization (external link)