Lucene search
David Dillard1337DAY-ID-29102HistoryDec 02, 2017 - 12:00 a.m.
Apache Struts2 S2-055 DoS Vulnerability
2017-12-0200:00:00
David Dillard
0day.today
98
0.531 Medium
EPSS
Percentile
97.3%
Exploit for multiple platform in category dos / poc
Summary
Vulnerability in the Jackson JSON library
Who should read this All Struts 2 developers and users which are using the REST plugin
Impact of vulnerability Not clear, please read the linked issue for more details. https://github.com/FasterXML/jackson-databind/issues/1599
Maximum security rating Medium
Recommendation Upgrade to Struts 2.5.14.1
Affected Software Struts 2.5 - Struts 2.5.14
Reporter David Dillard < david dot dillard at veritas dot com> - Veritas Technologies Product Security Group
CVE Identifier CVE-2017-7525
Problem
A vulnerability was detected in the latest Jackson JSON library, which was reported here. Upgrade com.fasterxml.jackson to version 2.9.2 to address CVE-2017-7525.
Solution
Upgrade to Apache Struts version 2.5.14.1. Another solution is to manually upgrade Jackson dependencies in your project to not vulnerable versions, see this comment.
Backward compatibility
No backward incompatibility issues are expected.
Workaround
Upgrade Jackson JSON library to the latest version.
Source
https://cwiki.apache.org/confluence/display/WW/s2-055
# 0day.today [2018-04-02] #Related
osv
osv
jackson-databind - security update
2017-10-20 00:00:00
jackson-databind is vulnerable to a deserialization flaw
2018-10-16 17:21:35
CVE-2017-7525
2018-02-06 15:29:00
redhatcve
redhatcve
redhat
redhat
(RHSA-2017:1839) Important: rh-eclipse46-jackson-databind security update
2017-07-31 16:09:20
(RHSA-2017:1840) Important: devtoolset-4-jackson-databind security update
2017-07-31 16:09:44
(RHSA-2017:3190) Important: rh-eclipse46-jackson-databind security update
2017-11-13 04:15:22
debian
debian
[SECURITY] [DSA 4004-1] jackson-databind security update
2017-10-20 05:52:40
[SECURITY] [DSA 4004-1] jackson-databind security update
2017-10-20 05:52:40
[SECURITY] [DSA 4190-1] jackson-databind security update
2018-05-03 13:56:38
openvas
openvas
Mageia: Security Advisory (MGASA-2017-0255)
2022-01-28 00:00:00
Fedora Update for jackson-databind FEDORA-2017-6a75c816fa
2017-08-13 00:00:00
Fedora Update for jackson-databind FEDORA-2017-8df9efed5f
2017-08-04 00:00:00
seebug
seebug
Apache Struts2 S2-055(CVE-2017-7525)
2017-12-01 00:00:00
Jackson enableDefaultTyping method of deserialization code execution vulnerability(CVE-2017-7525)
2017-04-17 00:00:00
Jackson-databind θΏη¨δ»£η ζ§θ‘ζΌζ΄(CVE-2017-17485)
2018-01-11 00:00:00
nessus
nessus
Debian DSA-4004-1 : jackson-databind - security update
2017-10-23 00:00:00
Fedora 26 : jackson-databind (2017-6a75c816fa)
2017-08-14 00:00:00
Fedora 24 : jackson-databind (2017-8df9efed5f)
2017-08-11 00:00:00
huawei
huawei
fedora
fedora
[SECURITY] Fedora 24 Update: jackson-databind-2.6.3-3.fc24
2017-07-31 19:19:46
[SECURITY] Fedora 26 Update: jackson-databind-2.7.6-3.fc26
2017-08-12 18:26:51
[SECURITY] Fedora 25 Update: jackson-databind-2.7.6-3.fc25
2017-08-11 23:54:29
ibm
ibm
cve
cve
prion
prion
Deserialization of untrusted data
2018-02-06 15:29:00
Design/Logic Flaw
2018-01-10 18:29:00
Deserialization of untrusted data
2018-02-06 15:29:00
veracode
veracode
Remote Code Execution (RCE) Through Deserialization
2017-04-19 05:40:17
Remote Code Execution (RCE) Through Deserialization
2019-01-15 09:18:21
Remote Code Execution (RCE)
2019-01-15 09:20:28
debiancve
debiancve
mageia
mageia
Updated jackson-databind packages fix security vulnerability
2017-08-12 01:24:19
Updated jackson-databind packages fix security vulnerability
2017-11-16 10:39:32
f5
f5
K65417229 : Apache Struts vulnerability CVE-2017-7525
2017-12-05 00:00:00
ubuntucve
ubuntucve
github
github
freebsd
freebsd
payara -- Default typing issue in Jackson Databind
2018-02-26 00:00:00
ubuntu
ubuntu
Jackson vulnerabilities
2021-02-18 00:00:00
checkpoint_advisories
checkpoint_advisories