[jira] [Commented] (GEODE-7264) Jackson-databind vulnerabilities
[ https://issues.apache.org/jira/browse/GEODE-7264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16946076#comment-16946076 ] Joris Melchior commented on GEODE-7264: --- The linked issue fix resolves this issue as well. > Jackson-databind vulnerabilities > > > Key: GEODE-7264 > URL: https://issues.apache.org/jira/browse/GEODE-7264 > Project: Geode > Issue Type: Bug > Components: rest (admin) >Reporter: Gang Yan >Priority: Major > > In case it is by when the customer can expect a patch that addresses these > vulnerabilities? > [1] [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12814] > [2] [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384] -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (GEODE-7264) Jackson-databind vulnerabilities
[ https://issues.apache.org/jira/browse/GEODE-7264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16945970#comment-16945970 ] Joris Melchior commented on GEODE-7264: --- See security bulletin for details: [Debian security bulletin|[https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html]] TLDR; for the exploit to work JDOM 1.x or JDOM 2.x or logback-core jar files have to be present in the class path. Unless Geode users have added these files themselves these jar files are not included in the Geode distribution. > Jackson-databind vulnerabilities > > > Key: GEODE-7264 > URL: https://issues.apache.org/jira/browse/GEODE-7264 > Project: Geode > Issue Type: Bug > Components: rest (admin) >Reporter: Gang Yan >Priority: Major > > In case it is by when the customer can expect a patch that addresses these > vulnerabilities? > [1] [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12814] > [2] [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384] -- This message was sent by Atlassian Jira (v8.3.4#803005)