You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@geode.apache.org by "Joris Melchior (Jira)" <ji...@apache.org> on 2019/10/07 15:40:00 UTC
[jira] [Commented] (GEODE-7264) Jackson-databind vulnerabilities
[ https://issues.apache.org/jira/browse/GEODE-7264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16945970#comment-16945970 ]
Joris Melchior commented on GEODE-7264:
---------------------------------------
See security bulletin for details: [Debian security bulletin|[https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html]]
TLDR; for the exploit to work JDOM 1.x or JDOM 2.x or logback-core jar files have to be present in the class path. Unless Geode users have added these files themselves these jar files are not included in the Geode distribution.
> Jackson-databind vulnerabilities
> --------------------------------
>
> Key: GEODE-7264
> URL: https://issues.apache.org/jira/browse/GEODE-7264
> Project: Geode
> Issue Type: Bug
> Components: rest (admin)
> Reporter: Gang Yan
> Priority: Major
>
> In case it is by when the customer can expect a patch that addresses these vulnerabilities?
> [1] [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12814]
> [2] [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)