[
https://issues.apache.org/jira/browse/KYLIN-3027?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Shaofeng SHI closed KYLIN-3027.
-------------------------------
Resolution: Fixed
Updated to 2.9.5 in KYLIN-3372
> Upgrade Jackson version
> -----------------------
>
> Key: KYLIN-3027
> URL: https://issues.apache.org/jira/browse/KYLIN-3027
> Project: Kylin
> Issue Type: Bug
> Reporter: peng.jianhua
> Assignee: peng.jianhua
> Priority: Major
>
> *【Security Vulnerability Alert】 Jackson-databind deserialization
> vulnerability*
> CVE ID:
> {code}
> CVE-2017-7525
> CVE-2017-15095
> {code}
> Description
> {code}
> CVE-2017-7525 is prone to a remote-code execution vulnerability.
> Successfully exploiting this issue allows attackers to execute arbitrary code
> in the context of the affected application. Failed exploits will result in
> denial-of-service conditions.
> CVE-2017-15095 describes more deserialization exploits for jackson-databind
> as a follow-up to CVE-2017-7525
> {code}
> Scope
> {code}
> Jackson version <= 2.9.2
> {code}
> Solution
> {code}
> Jackson official is about to release a new version to solve the problem
> {code}
> Reference
> {code}
> https://github.com/FasterXML/jackson-databind/releases
> http://www.openwall.com/lists/oss-security/2017/11/02/3
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
