geode-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joris Melchior (Jira)" <j...@apache.org>
Subject [jira] [Commented] (GEODE-7264) Jackson-databind vulnerabilities
Date Mon, 07 Oct 2019 15:40:00 GMT

    [ https://issues.apache.org/jira/browse/GEODE-7264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16945970#comment-16945970
] 

Joris Melchior commented on GEODE-7264:
---------------------------------------

See security bulletin for details: [Debian security bulletin|[https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html]]

 

TLDR; for the exploit to work JDOM 1.x or JDOM 2.x or logback-core jar files have to be present
in the class path. Unless Geode users have added these files themselves these jar files are
not included in the Geode distribution.

> Jackson-databind vulnerabilities
> --------------------------------
>
>                 Key: GEODE-7264
>                 URL: https://issues.apache.org/jira/browse/GEODE-7264
>             Project: Geode
>          Issue Type: Bug
>          Components: rest (admin)
>            Reporter: Gang Yan
>            Priority: Major
>
> In case it is by when the customer can expect a patch that addresses these vulnerabilities?
> [1] [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12814]
> [2] [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message