Struts 2.5.14.1 version - Security fixes - Need clarifications

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Struts 2.5.14.1 version - Security fixes - Need clarifications

upendar devu
CVE-2017-15095 &  CVE-2017-7525 -S2-054 & S2-055 has been fixed in the
version 2.5.14.1

We are using struts2 version 2.5.13.  not using struts based REST plugin
but using below jackson versions

I'm confused on the problem statements of these 2 CVEs reported , is this
impact for those using Struts based REST plugin ?  I'm not using this but
below jackson versions are being used . are we impacted ? please confirm
along with detailed problem statement who will be impacted on these 2CVEs.



 jackson-annotations-2.7.0.jar
 jackson-module-jaxb-annotations-2.7.1.jar
 jackson-jaxrs-json-provider-2.7.1.jar
 jackson-jaxrs-base-2.7.1.jar
 jackson-databind-2.7.1.jar
 jackson-core-2.7.1.jar


Thanks
Reply | Threaded
Open this post in threaded view
|

Re: Struts 2.5.14.1 version - Security fixes - Need clarifications

Yasser Zamani-2


On 12/6/2017 9:40 PM, upendar devu wrote:
> is this impact for those using Struts based REST plugin ?

CVE-2017-15707 [1] is for those using Struts' REST Plugin [2]. Before
2.5.14.1 this plugin uses json-lib library [3] which is not updated for
several years and is vulnerable. After 2.5.14 Struts replaced this
library with jackson.

> I'm not using this but below jackson versions are being used . are we impacted ?
>  please confirm along with detailed problem statement who will be impacted on these 2CVEs.
>
>  jackson-annotations-2.7.0.jar
>  jackson-module-jaxb-annotations-2.7.1.jar
>  jackson-jaxrs-json-provider-2.7.1.jar
>  jackson-jaxrs-base-2.7.1.jar
>  jackson-databind-2.7.1.jar
>  jackson-core-2.7.1.jar

Yes you're impacted. "A vulnerability was detected in the latest Jackson
JSON library, which was reported here. Upgrade com.fasterxml.jackson to
version 2.9.2 to address CVE-2017-7525" [4]. If you don't use Struts'
REST Plugin then you still are impacted because this vulnerability is
with jackson itself [5].

Hope these help,
Yasser.

[1] https://cwiki.apache.org/confluence/display/WW/S2-054
[2] https://mvnrepository.com/artifact/org.apache.struts/struts2-rest-plugin
[3] https://sourceforge.net/projects/json-lib/files/
[4] https://cwiki.apache.org/confluence/display/WW/S2-055
[5]
https://github.com/FasterXML/jackson-databind/issues/1599#issuecomment-342983770

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Struts 2.5.14.1 version - Security fixes - Need clarifications

upendar devu
Thank you for the response .  You mentioned that I'm still impacted even
not suing REST plugin  since the vulnerability is found in the latest
jackson library.  but we are using version 2.7 and not the latest version
; do  you think the the issue still exist with version 2.7 ?

Thanks

On Wed, Dec 6, 2017 at 1:35 PM, Yasser Zamani <[hidden email]>
wrote:

>
>
> On 12/6/2017 9:40 PM, upendar devu wrote:
> > is this impact for those using Struts based REST plugin ?
>
> CVE-2017-15707 [1] is for those using Struts' REST Plugin [2]. Before
> 2.5.14.1 this plugin uses json-lib library [3] which is not updated for
> several years and is vulnerable. After 2.5.14 Struts replaced this
> library with jackson.
>
> > I'm not using this but below jackson versions are being used . are we
> impacted ?
> >  please confirm along with detailed problem statement who will be
> impacted on these 2CVEs.
> >
> >  jackson-annotations-2.7.0.jar
> >  jackson-module-jaxb-annotations-2.7.1.jar
> >  jackson-jaxrs-json-provider-2.7.1.jar
> >  jackson-jaxrs-base-2.7.1.jar
> >  jackson-databind-2.7.1.jar
> >  jackson-core-2.7.1.jar
>
> Yes you're impacted. "A vulnerability was detected in the latest Jackson
> JSON library, which was reported here. Upgrade com.fasterxml.jackson to
> version 2.9.2 to address CVE-2017-7525" [4]. If you don't use Struts'
> REST Plugin then you still are impacted because this vulnerability is
> with jackson itself [5].
>
> Hope these help,
> Yasser.
>
> [1] https://cwiki.apache.org/confluence/display/WW/S2-054
> [2] https://mvnrepository.com/artifact/org.apache.struts/
> struts2-rest-plugin
> [3] https://sourceforge.net/projects/json-lib/files/
> [4] https://cwiki.apache.org/confluence/display/WW/S2-055
> [5]
> https://github.com/FasterXML/jackson-databind/issues/1599#
> issuecomment-342983770
>
Reply | Threaded
Open this post in threaded view
|

Re: Struts 2.5.14.1 version - Security fixes - Need clarifications

adam brin
If you go look at the security declaration and the links into the jackson changset it’ll list what’s been patched. Sorry, not a complete answer, but best I can easily give.

--
_________________________________________________________
Adam Brin
Director of Technology, Digital Antiquity
480.965.1278

> On Dec 6, 2017, at 12:33 PM, upendar devu <[hidden email]> wrote:
>
> Thank you for the response .  You mentioned that I'm still impacted even
> not suing REST plugin  since the vulnerability is found in the latest
> jackson library.  but we are using version 2.7 and not the latest version
> ; do  you think the the issue still exist with version 2.7 ?
>
> Thanks
>
> On Wed, Dec 6, 2017 at 1:35 PM, Yasser Zamani <[hidden email]>
> wrote:
>
>>
>>
>> On 12/6/2017 9:40 PM, upendar devu wrote:
>>> is this impact for those using Struts based REST plugin ?
>>
>> CVE-2017-15707 [1] is for those using Struts' REST Plugin [2]. Before
>> 2.5.14.1 this plugin uses json-lib library [3] which is not updated for
>> several years and is vulnerable. After 2.5.14 Struts replaced this
>> library with jackson.
>>
>>> I'm not using this but below jackson versions are being used . are we
>> impacted ?
>>> please confirm along with detailed problem statement who will be
>> impacted on these 2CVEs.
>>>
>>> jackson-annotations-2.7.0.jar
>>> jackson-module-jaxb-annotations-2.7.1.jar
>>> jackson-jaxrs-json-provider-2.7.1.jar
>>> jackson-jaxrs-base-2.7.1.jar
>>> jackson-databind-2.7.1.jar
>>> jackson-core-2.7.1.jar
>>
>> Yes you're impacted. "A vulnerability was detected in the latest Jackson
>> JSON library, which was reported here. Upgrade com.fasterxml.jackson to
>> version 2.9.2 to address CVE-2017-7525" [4]. If you don't use Struts'
>> REST Plugin then you still are impacted because this vulnerability is
>> with jackson itself [5].
>>
>> Hope these help,
>> Yasser.
>>
>> [1] https://cwiki.apache.org/confluence/display/WW/S2-054
>> [2] https://mvnrepository.com/artifact/org.apache.struts/
>> struts2-rest-plugin
>> [3] https://sourceforge.net/projects/json-lib/files/
>> [4] https://cwiki.apache.org/confluence/display/WW/S2-055
>> [5]
>> https://github.com/FasterXML/jackson-databind/issues/1599#
>> issuecomment-342983770
>>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Struts 2.5.14.1 version - Security fixes - Need clarifications

upendar devu
Thank you .

On Wed, Dec 6, 2017 at 2:37 PM, Adam Brin <[hidden email]>
wrote:

> If you go look at the security declaration and the links into the jackson
> changset it’ll list what’s been patched. Sorry, not a complete answer, but
> best I can easily give.
>
> --
> _________________________________________________________
> Adam Brin
> Director of Technology, Digital Antiquity
> 480.965.1278
>
> > On Dec 6, 2017, at 12:33 PM, upendar devu <[hidden email]>
> wrote:
> >
> > Thank you for the response .  You mentioned that I'm still impacted even
> > not suing REST plugin  since the vulnerability is found in the latest
> > jackson library.  but we are using version 2.7 and not the latest version
> > ; do  you think the the issue still exist with version 2.7 ?
> >
> > Thanks
> >
> > On Wed, Dec 6, 2017 at 1:35 PM, Yasser Zamani <[hidden email]>
> > wrote:
> >
> >>
> >>
> >> On 12/6/2017 9:40 PM, upendar devu wrote:
> >>> is this impact for those using Struts based REST plugin ?
> >>
> >> CVE-2017-15707 [1] is for those using Struts' REST Plugin [2]. Before
> >> 2.5.14.1 this plugin uses json-lib library [3] which is not updated for
> >> several years and is vulnerable. After 2.5.14 Struts replaced this
> >> library with jackson.
> >>
> >>> I'm not using this but below jackson versions are being used . are we
> >> impacted ?
> >>> please confirm along with detailed problem statement who will be
> >> impacted on these 2CVEs.
> >>>
> >>> jackson-annotations-2.7.0.jar
> >>> jackson-module-jaxb-annotations-2.7.1.jar
> >>> jackson-jaxrs-json-provider-2.7.1.jar
> >>> jackson-jaxrs-base-2.7.1.jar
> >>> jackson-databind-2.7.1.jar
> >>> jackson-core-2.7.1.jar
> >>
> >> Yes you're impacted. "A vulnerability was detected in the latest Jackson
> >> JSON library, which was reported here. Upgrade com.fasterxml.jackson to
> >> version 2.9.2 to address CVE-2017-7525" [4]. If you don't use Struts'
> >> REST Plugin then you still are impacted because this vulnerability is
> >> with jackson itself [5].
> >>
> >> Hope these help,
> >> Yasser.
> >>
> >> [1] https://cwiki.apache.org/confluence/display/WW/S2-054
> >> [2] https://mvnrepository.com/artifact/org.apache.struts/
> >> struts2-rest-plugin
> >> [3] https://sourceforge.net/projects/json-lib/files/
> >> [4] https://cwiki.apache.org/confluence/display/WW/S2-055
> >> [5]
> >> https://github.com/FasterXML/jackson-databind/issues/1599#
> >> issuecomment-342983770
> >>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Struts 2.5.14.1 version - Security fixes - Need clarifications

Yasser Zamani-2
In reply to this post by upendar devu


On 12/6/2017 11:03 PM, upendar devu wrote:
> since the vulnerability is found in the latest
> jackson library.  but we are using version 2.7 and not the latest version
> ; do  you think the the issue still exist with version 2.7 ?

Unfortunately I'm not in detail. You may ask at [1] as a comment :)

[1]
https://github.com/FasterXML/jackson-databind/issues/1599#issuecomment-342983770

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]