Giacomo Boccardo created CXF-7752:
-------------------------------------
Summary: CVE-2018-5968 and CVE-2018-7489
Key: CXF-7752
URL: https://issues.apache.org/jira/browse/CXF-7752
Project: CXF
Issue Type: Improvement
Reporter: Giacomo Boccardo
Analyzing the dependencies of my project using OWASP Dependency Check a
transitive dependency of org.apache.cxf:cxf-rt-ws-security:jar:3.2.4:compile
shows two issues in
{color:#000000}ehcache-{color}{color:#990000}2.10.4.{color}{color:#000000}jar/rest-management-{color}{color:#7f0055}*private*{color}{color:#000000}-classpath/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml{color}
{color:#000000}and the following explanations are reported:{color}
{color:#000000}FasterXML jackson-databind through 2.8.11 and 2.9.x through
2.9.3 allows unauthenticated remote code execution because of an incomplete fix
for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is
exploitable via two different gadgets that bypass a blacklist.{color}
{color:#000000}FasterXML jackson-databind before 2.8.11.1 and 2.9.x before
2.9.5 allows unauthenticated remote code execution because of an incomplete fix
for the CVE-2017-7525 deserialization flaw. This is exploitable by sending
maliciously crafted JSON input to the readValue method of the ObjectMapper,
bypassing a blacklist that is ineffective if the c3p0 libraries are available
in the classpath.{color}
Please consider updating net.sf.ehcache:ehcache:jar:2.10.4 when/if it solves
CVE-2018-5968 and CVE-2018-7489.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
