Thank you . On Wed, Dec 6, 2017 at 2:37 PM, Adam Brin <ab...@digitalantiquity.org> wrote:
> If you go look at the security declaration and the links into the jackson > changset it’ll list what’s been patched. Sorry, not a complete answer, but > best I can easily give. > > -- > _________________________________________________________ > Adam Brin > Director of Technology, Digital Antiquity > 480.965.1278 > > > On Dec 6, 2017, at 12:33 PM, upendar devu <devulapal...@gmail.com> > wrote: > > > > Thank you for the response . You mentioned that I'm still impacted even > > not suing REST plugin since the vulnerability is found in the latest > > jackson library. but we are using version 2.7 and not the latest version > > ; do you think the the issue still exist with version 2.7 ? > > > > Thanks > > > > On Wed, Dec 6, 2017 at 1:35 PM, Yasser Zamani <yasserzam...@apache.org> > > wrote: > > > >> > >> > >> On 12/6/2017 9:40 PM, upendar devu wrote: > >>> is this impact for those using Struts based REST plugin ? > >> > >> CVE-2017-15707 [1] is for those using Struts' REST Plugin [2]. Before > >> 2.5.14.1 this plugin uses json-lib library [3] which is not updated for > >> several years and is vulnerable. After 2.5.14 Struts replaced this > >> library with jackson. > >> > >>> I'm not using this but below jackson versions are being used . are we > >> impacted ? > >>> please confirm along with detailed problem statement who will be > >> impacted on these 2CVEs. > >>> > >>> jackson-annotations-2.7.0.jar > >>> jackson-module-jaxb-annotations-2.7.1.jar > >>> jackson-jaxrs-json-provider-2.7.1.jar > >>> jackson-jaxrs-base-2.7.1.jar > >>> jackson-databind-2.7.1.jar > >>> jackson-core-2.7.1.jar > >> > >> Yes you're impacted. "A vulnerability was detected in the latest Jackson > >> JSON library, which was reported here. Upgrade com.fasterxml.jackson to > >> version 2.9.2 to address CVE-2017-7525" [4]. If you don't use Struts' > >> REST Plugin then you still are impacted because this vulnerability is > >> with jackson itself [5]. > >> > >> Hope these help, > >> Yasser. > >> > >> [1] https://cwiki.apache.org/confluence/display/WW/S2-054 > >> [2] https://mvnrepository.com/artifact/org.apache.struts/ > >> struts2-rest-plugin > >> [3] https://sourceforge.net/projects/json-lib/files/ > >> [4] https://cwiki.apache.org/confluence/display/WW/S2-055 > >> [5] > >> https://github.com/FasterXML/jackson-databind/issues/1599# > >> issuecomment-342983770 > >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > >
