lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 9 Jan 2018 09:23:02 +0100
From: Imre Rad <>
Subject: CVE-2017-17485: one more way of rce in jackson-databind when
 defaultTyping+objects are used

Jackson-databind is a popular library in Java for JSON

It has a feature called default-typing: when the target class has some
polymorph fields inside (such as interfaces, abstract classes or the
Object base class), the library can include type info into the JSON
structure and use that info at unmarshalling. This can be dangerous
when the input is controlled by an attacker and the target class
contains a field of type Object or something general (like

After the original discoveries (CVE-2017-7525) had been reported, the
author patched this attack surface with a blacklist, which was
incomplete (as by nature of blacklists).

I created a proof-of-concept project as a follow-up to demonstrate one
more way of exploitation: by abusing Spring classes via Jackson, this
could lead to remote code execution.

MITRE assigned CVE-2017-17485 to this vulnerability.

The project is available on Github:

Affected versions:
The following ones (inclusive) and older: 2.9.3,, 2.8.10


The fixed versions, 2.8.11 and (this latter is to be
released at time of writing these lines) expanded the blacklist once
again so that Spring application contexts cannot be instantiated

The new major version (3.x) of Jackson-databind will address this
topic via a new API layer that provides a way to achieve
whitelisting-based serialization for these polymorph classes.

More info:

Powered by blists - more mailing lists