[jira] [Updated] (KYLIN-3027) Upgrade Jackson version

peng.jianhua (JIRA) Mon, 01 Jan 2018 08:30:09 -0800

     [ 
https://issues.apache.org/jira/browse/KYLIN-3027?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


peng.jianhua updated KYLIN-3027:
--------------------------------
    Sprint:   (was: Sprint 52)

> Upgrade Jackson version
> -----------------------
>
>                 Key: KYLIN-3027
>                 URL: https://issues.apache.org/jira/browse/KYLIN-3027
>             Project: Kylin
>          Issue Type: Bug
>            Reporter: peng.jianhua
>            Assignee: peng.jianhua
>
> *【Security Vulnerability Alert】 Jackson-databind deserialization 
> vulnerability*
> CVE ID:
> {code}
> CVE-2017-7525
> CVE-2017-15095
> {code}
> Description
> {code}
> CVE-2017-7525 is prone to a remote-code execution vulnerability. 
> Successfully exploiting this issue allows attackers to execute arbitrary code 
> in the context of the affected application. Failed exploits will result in 
> denial-of-service conditions.
> CVE-2017-15095 describes more deserialization exploits for jackson-databind 
> as a follow-up to CVE-2017-7525
> {code}
> Scope
> {code}
> Jackson version <= 2.9.2
> {code}
> Solution
> {code}
> Jackson official is about to release a new version to solve the problem
> {code}
> Reference
> {code}
> https://github.com/FasterXML/jackson-databind/releases
> http://www.openwall.com/lists/oss-security/2017/11/02/3
> {code}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Updated] (KYLIN-3027) Upgrade Jackson version

Reply via email to