[ https://issues.apache.org/jira/browse/KYLIN-3027?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Shaofeng SHI closed KYLIN-3027. ------------------------------- Resolution: Fixed Updated to 2.9.5 in KYLIN-3372 > Upgrade Jackson version > ----------------------- > > Key: KYLIN-3027 > URL: https://issues.apache.org/jira/browse/KYLIN-3027 > Project: Kylin > Issue Type: Bug > Reporter: peng.jianhua > Assignee: peng.jianhua > Priority: Major > > *【Security Vulnerability Alert】 Jackson-databind deserialization > vulnerability* > CVE ID: > {code} > CVE-2017-7525 > CVE-2017-15095 > {code} > Description > {code} > CVE-2017-7525 is prone to a remote-code execution vulnerability. > Successfully exploiting this issue allows attackers to execute arbitrary code > in the context of the affected application. Failed exploits will result in > denial-of-service conditions. > CVE-2017-15095 describes more deserialization exploits for jackson-databind > as a follow-up to CVE-2017-7525 > {code} > Scope > {code} > Jackson version <= 2.9.2 > {code} > Solution > {code} > Jackson official is about to release a new version to solve the problem > {code} > Reference > {code} > https://github.com/FasterXML/jackson-databind/releases > http://www.openwall.com/lists/oss-security/2017/11/02/3 > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005)