Versions Compared

Old Version 2

changes.mady.by.user Lukasz Lenart

Saved on

compared with

New Version Current

changes.mady.by.user Lukasz Lenart

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Summary

Excerpt

Vulnerability A RCE vulnerability in the Jackson JSON library


Who should read this

All Struts 2 developers and users which are using the REST plugin

Impact of vulnerability

Not clear

It is possible perform a RCE attack using a crafted JSON payload, please read the linked issue for more details

.

https://github.com/FasterXML/jackson-databind/issues/1599

Maximum security rating

Medium

Important

Recommendation

Upgrade to Struts 2.5.14.1

or Struts 2.4 (TBD)

Affected Software

Struts 2.1.1 - 2.3.34,

Struts 2.5 - Struts 2.5.14

Reporter

 

David Dillard < david dot dillard at veritas dot com> - Veritas Technologies Product Security Group

CVE Identifier

 

Related to CVE-2017-7525

Problem

A RCE vulnerability was detected in the latest Jackson JSON library, which was reported here. Upgrade com.fasterxml.jackson to version 2.9.2 to address CVE-2017-7525.

...

Upgrade to Apache Struts version 2.5.14.1 or 2. 4. Another solution is to manually upgrade Jackson dependencies in your project to not vulnerable versions, see this comment.

...

Upgrade Jackson JSON library to the latest version.