Re: [ANN] [APACHE STRUTS] Security Bulletin S2-055: impact increased to High (related to CVE-2017-7525 - JSON Jackson library)

2017-12-12 Thread Lukasz Lenart
2017-12-12 16:22 GMT+01:00 upendar devu : > could someone please confirm what Jackson databind versions are impacted ? > we are using 2.7.1 version . Here is a list [1] of unimpacted versions, which means any other are impacted [1] https://github.com/FasterXML/jackson-databind/issues/1599#issuec

Re: [ANN] [APACHE STRUTS] Security Bulletin S2-055: impact increased to High (related to CVE-2017-7525 - JSON Jackson library)

2017-12-12 Thread upendar devu
could someone please confirm what Jackson databind versions are impacted ? we are using 2.7.1 version . On Tue, Dec 12, 2017 at 9:45 AM, Lukasz Lenart wrote: > 2017-12-12 15:29 GMT+01:00 Emi : > > Hello, > >> > >> vulnerability exists in a JSON Jackson library and it's registered under > >> CVE-

Re: [ANN] [APACHE STRUTS] Security Bulletin S2-055: impact increased to High (related to CVE-2017-7525 - JSON Jackson library)

2017-12-12 Thread Lukasz Lenart
2017-12-12 15:29 GMT+01:00 Emi : > Hello, >> >> vulnerability exists in a JSON Jackson library and it's registered under >> CVE-2017-7525. > > I think you mean the following jars right? > > (1) jackson-core-2.9.2.jar > (2) jackson-annotations-2.9.0.jar > (3) jackson-databind-2.9.2.jar I didn't ana

Re: [ANN] [APACHE STRUTS] Security Bulletin S2-055: impact increased to High (related to CVE-2017-7525 - JSON Jackson library)

2017-12-12 Thread Emi
Hello, vulnerability exists in a JSON Jackson library and it's registered under CVE-2017-7525. I think you mean the following jars right? (1) jackson-core-2.9.2.jar (2) jackson-annotations-2.9.0.jar (3) jackson-databind-2.9.2.jar Please read the bulletin [1] and apply possible solutions. This

[ANN] [APACHE STRUTS] Security Bulletin S2-055: impact increased to High (related to CVE-2017-7525 - JSON Jackson library)

2017-12-11 Thread Lukasz Lenart
Hi, After further clarification we increased impact of a vulnerability reported to us and described as S2-055 to High. The vulnerability exists in a JSON Jackson library and it's registered under CVE-2017-7525. Please read the bulletin [1] and apply possible solutions. This vulnerability impacts a

Re: Security Bulletin S2-055

2017-12-08 Thread Lukasz Lenart
Thank you for clarifying this, it wasn't clear to me what kind of issue was that Jackson vulnerability. Kind regards -- Ɓukasz + 48 606 323 122 http://www.lenart.org.pl/ 2017-12-08 2:09 GMT+01:00 : > Hello, > > I think it would be appropriate to update the Impact of Vulnerability to > indicat

Security Bulletin S2-055

2017-12-07 Thread darrell.ambro
Hello, I think it would be appropriate to update the Impact of Vulnerability to indicate that this issue could be used for remote code execution. The conversation in the Jackson Project Issues: https://github.com/FasterXML/jackson-databind/issues/1599 and articles such as https://adamcaudill.c