You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Lukasz Lenart <lu...@apache.org> on 2017/12/12 07:13:02 UTC
[ANN] [APACHE STRUTS] Security Bulletin S2-055: impact increased to
High (related to CVE-2017-7525 - JSON Jackson library)
Hi,
After further clarification we increased impact of a vulnerability
reported to us and described as S2-055 to High. The vulnerability
exists in a JSON Jackson library and it's registered under
CVE-2017-7525. Please read the bulletin [1] and apply possible
solutions. This vulnerability impacts anyone using the vulnerable
Jackson JSON library (not only Struts users).
[1] https://cwiki.apache.org/confluence/display/WW/S2-055
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
Re: [ANN] [APACHE STRUTS] Security Bulletin S2-055: impact increased
to High (related to CVE-2017-7525 - JSON Jackson library)
Posted by Lukasz Lenart <lu...@apache.org>.
2017-12-12 16:22 GMT+01:00 upendar devu <de...@gmail.com>:
> could someone please confirm what Jackson databind versions are impacted ?
> we are using 2.7.1 version .
Here is a list [1] of unimpacted versions, which means any other are impacted
[1] https://github.com/FasterXML/jackson-databind/issues/1599#issuecomment-342983770
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [ANN] [APACHE STRUTS] Security Bulletin S2-055: impact increased
to High (related to CVE-2017-7525 - JSON Jackson library)
Posted by upendar devu <de...@gmail.com>.
could someone please confirm what Jackson databind versions are impacted ?
we are using 2.7.1 version .
On Tue, Dec 12, 2017 at 9:45 AM, Lukasz Lenart <lu...@apache.org>
wrote:
> 2017-12-12 15:29 GMT+01:00 Emi <em...@encs.concordia.ca>:
> > Hello,
> >>
> >> vulnerability exists in a JSON Jackson library and it's registered under
> >> CVE-2017-7525.
> >
> > I think you mean the following jars right?
> >
> > (1) jackson-core-2.9.2.jar
> > (2) jackson-annotations-2.9.0.jar
> > (3) jackson-databind-2.9.2.jar
>
> I didn't analyse which jars are affected by the CVE but I think you
> are right and mostly it will be jackson-databind only.
>
> >> Please read the bulletin [1] and apply possible
> >> solutions. This vulnerability impacts anyone using the vulnerable
> >> Jackson JSON library (not only Struts users).
> >>
> >> [1] https://cwiki.apache.org/confluence/display/WW/S2-055
> >
> > So, if do not use the above jars, it should be fine?
>
> Yes
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
Re: [ANN] [APACHE STRUTS] Security Bulletin S2-055: impact increased
to High (related to CVE-2017-7525 - JSON Jackson library)
Posted by Lukasz Lenart <lu...@apache.org>.
2017-12-12 15:29 GMT+01:00 Emi <em...@encs.concordia.ca>:
> Hello,
>>
>> vulnerability exists in a JSON Jackson library and it's registered under
>> CVE-2017-7525.
>
> I think you mean the following jars right?
>
> (1) jackson-core-2.9.2.jar
> (2) jackson-annotations-2.9.0.jar
> (3) jackson-databind-2.9.2.jar
I didn't analyse which jars are affected by the CVE but I think you
are right and mostly it will be jackson-databind only.
>> Please read the bulletin [1] and apply possible
>> solutions. This vulnerability impacts anyone using the vulnerable
>> Jackson JSON library (not only Struts users).
>>
>> [1] https://cwiki.apache.org/confluence/display/WW/S2-055
>
> So, if do not use the above jars, it should be fine?
Yes
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [ANN] [APACHE STRUTS] Security Bulletin S2-055: impact increased
to High (related to CVE-2017-7525 - JSON Jackson library)
Posted by Emi <em...@encs.concordia.ca>.
Hello,
> vulnerability exists in a JSON Jackson library and it's registered under
> CVE-2017-7525.
I think you mean the following jars right?
(1) jackson-core-2.9.2.jar
(2) jackson-annotations-2.9.0.jar
(3) jackson-databind-2.9.2.jar
> Please read the bulletin [1] and apply possible
> solutions. This vulnerability impacts anyone using the vulnerable
> Jackson JSON library (not only Struts users).
>
> [1] https://cwiki.apache.org/confluence/display/WW/S2-055
So, if do not use the above jars, it should be fine?
Thanks.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org