CVE编号
CVE-2018-1000873利用情况
暂无补丁情况
官方补丁披露时间
2018-12-21漏洞描述
Fasterxml Jackson版本2.9.8之前包含一个CWE-20:Jackson-Modules-Java8中的错误输入验证漏洞,可能导致拒绝服务(DoS)。此攻击似乎可以通过受害者反序列化恶意输入,特别是time值的nanoseconds字段中的非常大的值。此漏洞似乎已在2.9.8中修复。<br><br>解决建议
厂商已发布了漏洞修复程序,请及时关注更新:https://github.com/FasterXML/jackson-modules-java8/pull/87
参考链接 |
|
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1665601 | |
| https://github.com/FasterXML/jackson-modules-java8/issues/90 | |
| https://github.com/FasterXML/jackson-modules-java8/pull/87 | |
| https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d... | |
| https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a... | |
| https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec... | |
| https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34... | |
| https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fa... | |
| https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be1... | |
| https://security.netapp.com/advisory/ntap-20200904-0004/ | |
| https://www.oracle.com/security-alerts/cpuapr2020.html | |
| https://www.oracle.com/security-alerts/cpuoct2020.html | |
| https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html | |
| https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html |
受影响软件情况
| # | 类型 | 厂商 | 产品 | 版本 | 影响面 | ||||
| 1 | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| 运行在以下环境 | |||||||||
| 应用 | fasterxml | jackson-databind | * |
Up to (excluding) 2.9.8 |
|||||
| 运行在以下环境 | |||||||||
| 应用 | redhat | jboss_enterprise_application_platform | 7.0 | - | |||||
| 运行在以下环境 | |||||||||
| 系统 | fedora_29 | bouncycastle | * |
Up to (excluding) 1.61-1.fc29 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | fedora_29 | bouncycastle-javadoc | * |
Up to (excluding) 1.61-1.fc29 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | fedora_29 | bouncycastle-mail | * |
Up to (excluding) 1.61-1.fc29 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | fedora_29 | bouncycastle-pg | * |
Up to (excluding) 1.61-1.fc29 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | fedora_29 | bouncycastle-pkix | * |
Up to (excluding) 1.61-1.fc29 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | fedora_29 | bouncycastle-tls | * |
Up to (excluding) 1.61-1.fc29 |
|||||
- 攻击路径 远程
- 攻击复杂度 复杂
- 权限要求 无需权限
- 影响范围 有限影响
- EXP成熟度 未验证
- 补丁情况 官方补丁
- 数据保密性 无影响
- 数据完整性 无影响
- 服务器危害 无影响
- 全网数量 100
还没有评论,来说两句吧...