[ANN] [APACHE STRUTS] Security Bulletin S2-055: impact increased to High (related to CVE-2017-7525 - JSON Jackson library)

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[ANN] [APACHE STRUTS] Security Bulletin S2-055: impact increased to High (related to CVE-2017-7525 - JSON Jackson library)

Lukasz Lenart
Hi,

After further clarification we increased impact of a vulnerability
reported to us and described as S2-055 to High. The vulnerability
exists in a JSON Jackson library and it's registered under
CVE-2017-7525. Please read the bulletin [1] and apply possible
solutions. This vulnerability impacts anyone using the vulnerable
Jackson JSON library (not only Struts users).

[1] https://cwiki.apache.org/confluence/display/WW/S2-055


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [ANN] [APACHE STRUTS] Security Bulletin S2-055: impact increased to High (related to CVE-2017-7525 - JSON Jackson library)

Emi Lu
Hello,
> vulnerability exists in a JSON Jackson library and it's registered under
> CVE-2017-7525.
I think you mean the following jars right?

(1) jackson-core-2.9.2.jar
(2) jackson-annotations-2.9.0.jar
(3) jackson-databind-2.9.2.jar

> Please read the bulletin [1] and apply possible
> solutions. This vulnerability impacts anyone using the vulnerable
> Jackson JSON library (not only Struts users).
>
> [1] https://cwiki.apache.org/confluence/display/WW/S2-055
So, if do not use the above jars, it should be fine?

Thanks.


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [ANN] [APACHE STRUTS] Security Bulletin S2-055: impact increased to High (related to CVE-2017-7525 - JSON Jackson library)

Lukasz Lenart
2017-12-12 15:29 GMT+01:00 Emi <[hidden email]>:

> Hello,
>>
>> vulnerability exists in a JSON Jackson library and it's registered under
>> CVE-2017-7525.
>
> I think you mean the following jars right?
>
> (1) jackson-core-2.9.2.jar
> (2) jackson-annotations-2.9.0.jar
> (3) jackson-databind-2.9.2.jar

I didn't analyse which jars are affected by the CVE but I think you
are right and mostly it will be jackson-databind only.

>> Please read the bulletin [1] and apply possible
>> solutions. This vulnerability impacts anyone using the vulnerable
>> Jackson JSON library (not only Struts users).
>>
>> [1] https://cwiki.apache.org/confluence/display/WW/S2-055
>
> So, if do not use the above jars, it should be fine?

Yes


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [ANN] [APACHE STRUTS] Security Bulletin S2-055: impact increased to High (related to CVE-2017-7525 - JSON Jackson library)

upendar devu
could someone please confirm what Jackson databind versions are impacted ?
we are using 2.7.1 version .

On Tue, Dec 12, 2017 at 9:45 AM, Lukasz Lenart <[hidden email]>
wrote:

> 2017-12-12 15:29 GMT+01:00 Emi <[hidden email]>:
> > Hello,
> >>
> >> vulnerability exists in a JSON Jackson library and it's registered under
> >> CVE-2017-7525.
> >
> > I think you mean the following jars right?
> >
> > (1) jackson-core-2.9.2.jar
> > (2) jackson-annotations-2.9.0.jar
> > (3) jackson-databind-2.9.2.jar
>
> I didn't analyse which jars are affected by the CVE but I think you
> are right and mostly it will be jackson-databind only.
>
> >> Please read the bulletin [1] and apply possible
> >> solutions. This vulnerability impacts anyone using the vulnerable
> >> Jackson JSON library (not only Struts users).
> >>
> >> [1] https://cwiki.apache.org/confluence/display/WW/S2-055
> >
> > So, if do not use the above jars, it should be fine?
>
> Yes
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: [ANN] [APACHE STRUTS] Security Bulletin S2-055: impact increased to High (related to CVE-2017-7525 - JSON Jackson library)

Lukasz Lenart
2017-12-12 16:22 GMT+01:00 upendar devu <[hidden email]>:
> could someone please confirm what Jackson databind versions are impacted ?
> we are using 2.7.1 version .

Here is a list [1] of unimpacted versions, which means any other are impacted

[1] https://github.com/FasterXML/jackson-databind/issues/1599#issuecomment-342983770


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]