You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "Dennis Kieselhorst (JIRA)" <ji...@apache.org> on 2018/06/05 10:38:00 UTC

[jira] [Updated] (CXF-7752) CVE-2018-5968 and CVE-2018-7489

     [ https://issues.apache.org/jira/browse/CXF-7752?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Dennis Kieselhorst updated CXF-7752:
------------------------------------
    Fix Version/s: 3.2.5

> CVE-2018-5968 and CVE-2018-7489
> -------------------------------
>
>                 Key: CXF-7752
>                 URL: https://issues.apache.org/jira/browse/CXF-7752
>             Project: CXF
>          Issue Type: Improvement
>            Reporter: Giacomo Boccardo
>            Assignee: Dennis Kieselhorst
>            Priority: Major
>             Fix For: 3.2.5
>
>
> Analyzing the dependencies of my project using OWASP Dependency Check a transitive dependency of org.apache.cxf:cxf-rt-ws-security:jar:3.2.4:compile shows two issues in
> {color:#000000}ehcache-{color}{color:#990000}2.10.4.{color}{color:#000000}jar/rest-management-{color}{color:#7f0055}*private*{color}{color:#000000}-classpath/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml{color}
> {color:#000000}and the following explanations are reported:{color}
> {color:#000000}FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.{color}
> {color:#000000}FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.{color}
> Please consider updating net.sf.ehcache:ehcache:jar:2.10.4 when/if it solves CVE-2018-5968 and CVE-2018-7489.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)