[CXF-7752] CVE-2018-5968 and CVE-2018-7489 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.1.16, 3.2.5
Component/s: None
Labels:
None

Estimated Complexity:
Unknown

Description

Analyzing the dependencies of my project using OWASP Dependency Check a transitive dependency of org.apache.cxf:cxf-rt-ws-security:jar:3.2.4:compile shows two issues in

ehcache-2.10.4.jar/rest-management-private-classpath/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml

and the following explanations are reported:

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.

FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

Please consider updating net.sf.ehcache:ehcache:jar:2.10.4 when/if it solves CVE-2018-5968 and CVE-2018-7489.

Attachments

Activity

People

Assignee:: Dennis Kieselhorst

Reporter:: Giacomo Boccardo

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 04/Jun/18 13:17

Updated:: 25/Mar/19 12:28

Resolved:: 05/Jun/18 11:47