On 12/6/2017 9:40 PM, upendar devu wrote: > is this impact for those using Struts based REST plugin ?
CVE-2017-15707 [1] is for those using Struts' REST Plugin [2]. Before 2.5.14.1 this plugin uses json-lib library [3] which is not updated for several years and is vulnerable. After 2.5.14 Struts replaced this library with jackson. > I'm not using this but below jackson versions are being used . are we > impacted ? > please confirm along with detailed problem statement who will be impacted on > these 2CVEs. > > jackson-annotations-2.7.0.jar > jackson-module-jaxb-annotations-2.7.1.jar > jackson-jaxrs-json-provider-2.7.1.jar > jackson-jaxrs-base-2.7.1.jar > jackson-databind-2.7.1.jar > jackson-core-2.7.1.jar Yes you're impacted. "A vulnerability was detected in the latest Jackson JSON library, which was reported here. Upgrade com.fasterxml.jackson to version 2.9.2 to address CVE-2017-7525" [4]. If you don't use Struts' REST Plugin then you still are impacted because this vulnerability is with jackson itself [5]. Hope these help, Yasser. [1] https://cwiki.apache.org/confluence/display/WW/S2-054 [2] https://mvnrepository.com/artifact/org.apache.struts/struts2-rest-plugin [3] https://sourceforge.net/projects/json-lib/files/ [4] https://cwiki.apache.org/confluence/display/WW/S2-055 [5] https://github.com/FasterXML/jackson-databind/issues/1599#issuecomment-342983770
