You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@geode.apache.org by "Joris Melchior (Jira)" <ji...@apache.org> on 2019/10/07 15:40:00 UTC

[jira] [Commented] (GEODE-7264) Jackson-databind vulnerabilities

    [ https://issues.apache.org/jira/browse/GEODE-7264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16945970#comment-16945970 ] 

Joris Melchior commented on GEODE-7264:
---------------------------------------

See security bulletin for details: [Debian security bulletin|[https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html]]

 

TLDR; for the exploit to work JDOM 1.x or JDOM 2.x or logback-core jar files have to be present in the class path. Unless Geode users have added these files themselves these jar files are not included in the Geode distribution.

> Jackson-databind vulnerabilities
> --------------------------------
>
>                 Key: GEODE-7264
>                 URL: https://issues.apache.org/jira/browse/GEODE-7264
>             Project: Geode
>          Issue Type: Bug
>          Components: rest (admin)
>            Reporter: Gang Yan
>            Priority: Major
>
> In case it is by when the customer can expect a patch that addresses these vulnerabilities?
> [1] [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12814]
> [2] [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)