[
https://issues.apache.org/jira/browse/CXF-7752?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Dennis Kieselhorst resolved CXF-7752.
-------------------------------------
Resolution: Fixed
Fix Version/s: 3.1.16
> CVE-2018-5968 and CVE-2018-7489
> -------------------------------
>
> Key: CXF-7752
> URL: https://issues.apache.org/jira/browse/CXF-7752
> Project: CXF
> Issue Type: Improvement
> Reporter: Giacomo Boccardo
> Assignee: Dennis Kieselhorst
> Priority: Major
> Fix For: 3.1.16, 3.2.5
>
>
> Analyzing the dependencies of my project using OWASP Dependency Check a
> transitive dependency of org.apache.cxf:cxf-rt-ws-security:jar:3.2.4:compile
> shows two issues in
> {color:#000000}ehcache-{color}{color:#990000}2.10.4.{color}{color:#000000}jar/rest-management-{color}{color:#7f0055}*private*{color}{color:#000000}-classpath/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml{color}
> {color:#000000}and the following explanations are reported:{color}
> {color:#000000}FasterXML jackson-databind through 2.8.11 and 2.9.x through
> 2.9.3 allows unauthenticated remote code execution because of an incomplete
> fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is
> exploitable via two different gadgets that bypass a blacklist.{color}
> {color:#000000}FasterXML jackson-databind before 2.8.11.1 and 2.9.x before
> 2.9.5 allows unauthenticated remote code execution because of an incomplete
> fix for the CVE-2017-7525 deserialization flaw. This is exploitable by
> sending maliciously crafted JSON input to the readValue method of the
> ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries
> are available in the classpath.{color}
> Please consider updating net.sf.ehcache:ehcache:jar:2.10.4 when/if it solves
> CVE-2018-5968 and CVE-2018-7489.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
