[jira] [Created] (KYLIN-3027) Upgrade Jackson version

[peng.jianhua (JIRA)]

peng.jianhua created KYLIN-3027:
-----------------------------------

             Summary: Upgrade Jackson version
                 Key: KYLIN-3027
                 URL: https://issues.apache.org/jira/browse/KYLIN-3027
             Project: Kylin
          Issue Type: Bug
            Reporter: peng.jianhua
            Assignee: peng.jianhua


*【Security Vulnerability Alert】 Jackson-databind deserialization vulnerability*

CVE ID:
{code}
CVE-2017-7525
CVE-2017-15095
{code}

Description
{code}
CVE-2017-7525 is prone to a remote-code execution vulnerability. 
Successfully exploiting this issue allows attackers to execute arbitrary code 
in the context of the affected application. Failed exploits will result in 
denial-of-service conditions.

CVE-2017-15095 describes more deserialization exploits for jackson-databind as 
a follow-up to CVE-2017-7525
{code}

Scope
{code}
Jackson version <= 2.9.2
{code}

Solution
{code}
Jackson official is about to release a new version to solve the problem
{code}

Reference
{code}
https://github.com/FasterXML/jackson-databind/releases
http://www.openwall.com/lists/oss-security/2017/11/02/3
{code}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)