Thank you for the response . You mentioned that I'm still impacted even not suing REST plugin since the vulnerability is found in the latest jackson library. but we are using version 2.7 and not the latest version ; do you think the the issue still exist with version 2.7 ?
Thanks On Wed, Dec 6, 2017 at 1:35 PM, Yasser Zamani <yasserzam...@apache.org> wrote: > > > On 12/6/2017 9:40 PM, upendar devu wrote: > > is this impact for those using Struts based REST plugin ? > > CVE-2017-15707 [1] is for those using Struts' REST Plugin [2]. Before > 2.5.14.1 this plugin uses json-lib library [3] which is not updated for > several years and is vulnerable. After 2.5.14 Struts replaced this > library with jackson. > > > I'm not using this but below jackson versions are being used . are we > impacted ? > > please confirm along with detailed problem statement who will be > impacted on these 2CVEs. > > > > jackson-annotations-2.7.0.jar > > jackson-module-jaxb-annotations-2.7.1.jar > > jackson-jaxrs-json-provider-2.7.1.jar > > jackson-jaxrs-base-2.7.1.jar > > jackson-databind-2.7.1.jar > > jackson-core-2.7.1.jar > > Yes you're impacted. "A vulnerability was detected in the latest Jackson > JSON library, which was reported here. Upgrade com.fasterxml.jackson to > version 2.9.2 to address CVE-2017-7525" [4]. If you don't use Struts' > REST Plugin then you still are impacted because this vulnerability is > with jackson itself [5]. > > Hope these help, > Yasser. > > [1] https://cwiki.apache.org/confluence/display/WW/S2-054 > [2] https://mvnrepository.com/artifact/org.apache.struts/ > struts2-rest-plugin > [3] https://sourceforge.net/projects/json-lib/files/ > [4] https://cwiki.apache.org/confluence/display/WW/S2-055 > [5] > https://github.com/FasterXML/jackson-databind/issues/1599# > issuecomment-342983770 >
