Security Bulletin S2-055

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Security Bulletin S2-055

darrell.ambro
Hello,

I think it would be appropriate to update the Impact of Vulnerability to indicate that this issue could be used for remote code execution. The conversation in the Jackson Project Issues: https://github.com/FasterXML/jackson-databind/issues/1599 and articles such as https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/ make this fairly clear.

Users might be more concerned if the potential impact was more clearly identified.

Thanks,

Darrell Ambro CISSP, CSSLP, GWAPT
 
Cyber Security Research Scientist
Technical Lead - Dynamic Application Security Testing
Wells Fargo Cyber Threat Management



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Security Bulletin S2-055

Lukasz Lenart
Thank you for clarifying this, it wasn't clear to me what kind of
issue was that Jackson vulnerability.


Kind regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

2017-12-08 2:09 GMT+01:00  <[hidden email]>:

> Hello,
>
> I think it would be appropriate to update the Impact of Vulnerability to indicate that this issue could be used for remote code execution. The conversation in the Jackson Project Issues: https://github.com/FasterXML/jackson-databind/issues/1599 and articles such as https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/ make this fairly clear.
>
> Users might be more concerned if the potential impact was more clearly identified.
>
> Thanks,
>
> Darrell Ambro CISSP, CSSLP, GWAPT
>
> Cyber Security Research Scientist
> Technical Lead - Dynamic Application Security Testing
> Wells Fargo Cyber Threat Management
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]