Summary
Excerpt |
---|
Jackson issueA RCE vulnerability in the Jackson JSON library |
Who should read this | All Struts 2 developers and users which are using the REST plugin |
---|---|
Impact of vulnerability |
It is possible perform a RCE attack using a crafted JSON payload, please read the linked issue for more details https://github.com/FasterXML/jackson-databind/issues/1599 |
Maximum security rating |
---|
Important | |
Recommendation | Upgrade to Struts 2.5.14.1 |
---|
Affected Software |
---|
Struts 2.5 - Struts 2.5.14 |
Reporter |
---|
David Dillard < david dot dillard at veritas dot com> - |
HPE (TBD)
CVE Identifier
Problem
Veritas Technologies Product Security Group | |
CVE Identifier | Related to CVE-2017-7525 |
---|
Problem
A RCE vulnerability was detected in the latest Jackson JSON library, which was reported here. Upgrade com.fasterxml.jackson
to version 2.9.2 to address CVE-2017-7525The REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload.
Solution
Upgrade to Apache Struts version 2.5.14.1 or 2. 4. Another solution is to use the Jackson handler instead of the default JSON-lib handler as described heremanually upgrade Jackson dependencies in your project to not vulnerable versions, see this comment.
Backward compatibility
No backward incompatibility issues are expected.
Workaround
Use Jackson handler instead of the default JSON-lib handler as described here.
Upgrade Jackson JSON library to the latest version.