Struts 2.3.X Impacted by S2-055?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Struts 2.3.X Impacted by S2-055?

infosec
It looks like the Jackson-databind issue is only associated with 2.5.X
versions of Struts. I just want to confirm that 2.3.X versions are not.

Thanks,

Adrian

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Struts 2.3.X Impacted by S2-055?

Yasser Zamani-2


On 12/8/2017 9:41 PM, [hidden email] wrote:
> It looks like the Jackson-databind issue is only associated with 2.5.X
> versions of Struts.

It's only with 2.5.14. Addressed in 2.5.14.1. But both 2.5.(x<14) and
2.3.x are impacted by S2-054.


>  I just want to confirm that 2.3.X versions are not.

No they are not if you did not manually use Jackson-databind.

Hope these help,
Yasser.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Struts 2.3.X Impacted by S2-055?

Lukasz Lenart
In reply to this post by infosec
2017-12-08 19:11 GMT+01:00  <[hidden email]>:
> It looks like the Jackson-databind issue is only associated with 2.5.X
> versions of Struts. I just want to confirm that 2.3.X versions are not.

Struts 2.3.x series is using a different version of the Jackson
library [1] and we have no knowledge if that version is vulnerable as
well. Also, 2.3.x series is using json-lib as a default JSON handler
implementation which means it's impacted by [2]

[1] https://github.com/apache/struts/blob/support-2-3/plugins/rest/pom.xml#L52
[2] https://cwiki.apache.org/confluence/display/WW/S2-054


Regards
--
Ɓukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]