Struts 2.5.14.1 version - Security fixes - Need clarifications

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Struts 2.5.14.1 version - Security fixes - Need clarifications

upendar devu
CVE-2017-15095 &  CVE-2017-7525 -S2-054 & S2-055 has been fixed in the
version 2.5.14.1

We are using struts2 version 2.5.13.  not using struts based REST plugin
but using below jackson versions

I'm confused on the problem statements of these 2 CVEs reported , is this
impact for those using Struts based REST plugin ?  I'm not using this but
below jackson versions are being used . are we impacted ? please confirm
along with detailed problem statement on these 2CVEs.



 jackson-annotations-2.7.0.jar
 jackson-module-jaxb-annotations-2.7.1.jar
 jackson-jaxrs-json-provider-2.7.1.jar
 jackson-jaxrs-base-2.7.1.jar
 jackson-databind-2.7.1.jar
 jackson-core-2.7.1.jar


Thanks
Reply | Threaded
Open this post in threaded view
|

Re: Struts 2.5.14.1 version - Security fixes - Need clarifications

upendar devu
Including Struts Security team

On Wed, Dec 6, 2017 at 12:06 PM, upendar devu <[hidden email]>
wrote:

> CVE-2017-15095 &  CVE-2017-7525 -S2-054 & S2-055 has been fixed in the
> version 2.5.14.1
>
> We are using struts2 version 2.5.13.  not using struts based REST plugin
> but using below jackson versions
>
> I'm confused on the problem statements of these 2 CVEs reported , is this
> impact for those using Struts based REST plugin ?  I'm not using this but
> below jackson versions are being used . are we impacted ? please confirm
> along with detailed problem statement on these 2CVEs.
>
>
>
>  jackson-annotations-2.7.0.jar
>  jackson-module-jaxb-annotations-2.7.1.jar
>  jackson-jaxrs-json-provider-2.7.1.jar
>  jackson-jaxrs-base-2.7.1.jar
>  jackson-databind-2.7.1.jar
>  jackson-core-2.7.1.jar
>
>
> Thanks
>