Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Summary

Excerpt

Vulnerability in the Jackson issueJSON library

Who should read this

All Struts 2 developers and users which are using the REST plugin

Impact of vulnerability

Not clear, please read the linked issue for more details. ... https://github.com/FasterXML/jackson-databind/issues/1599

Maximum security rating

Medium

Recommendation

Upgrade to Struts 2.5.14.1 or Struts 2.4 (TBD)

Affected Software

Struts 2.1.1 - 2.3.34, Struts 2.5 - Struts 2.5.14

Reporter

Huijun Chen <chenhuijun at huawei dot com> - Cyber Security Solution Dept, Huawei Technologies Co., Ltd

HPE (TBD) 

CVE Identifier

 

Problem

The REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payloadA vulnerability was detected in the latest Jackson JSON library, which was reported here. Upgrade com.fasterxml.jackson to version 2.9.2 to address CVE-2017-7525.

Solution

Upgrade to Apache Struts version 2.5.14.1 or 2.4. Another solution is to use the Jackson handler instead of the default JSON-lib handler as described heremanually upgrade Jackson dependencies in your project to not vulnerable versions, see this comment.

Backward compatibility

No backward incompatibility issues are expected.

Workaround

Use Jackson handler instead of the default JSON-lib handler as described hereUpgrade Jackson JSON library to the latest version.