CVE-2017-7525,CVE-2017-15095 and CVE-2017-17485 fix for all these vulnerabilities.

[samawarad]

Hi team,

We have below 3 vulnerabilities reported on jackson-databind 2.2.1, 2.2.3 and 2.4.3 in 3 different components of the product. We want to maintain the same single version of jackson-databind in all 3 components which has fix for all vulnerabilities reported.

CVE-2017-7525 -> Fix available in 2.6.7.1
CVE-2017-15095 -> Fix available in 2.6.7.3
CVE-2017-17485 -> Fix available in 2.7.9.2

Can we uppgrade to 2.7.9.2?

[pjfanning]

Closing. This is an abuse of GitHub discussions. Try changing Jackson version yourself. Why are we supposed to guess what impact this will have on your code?

[cowtowncoder]

On question itself relevant issues should have fixed in versions and 2.7.9.2 likely has all fixes. But you should check to make sure. Also: the latest micro-patch for 2.7 is 2.7.9.7 so use that (https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.7.9.7) instead. Also: Tidelift has metadata about fixed in versions if you are a subscriber.

…

On Tue, Apr 23, 2024 at 11:04 AM PJ Fanning ***@***.***> wrote: Closing. This is an abuse of GitHub discussions. Try changing Jackson yourself. Why are we supposed to guess what impact this will have on your code. — Reply to this email directly, view it on GitHub <#4495 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAANOGJMHIHYIVK7UNHVB5LY62PDLAVCNFSM6AAAAABGVHV52SVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANZTGA2TSNZSG4> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[cowtowncoder]

Relevant Jackson issues with fixed-in versions:

• CVE-2017-7525: Jackson Deserializer security vulnerability via default typing (CVE-2017-7525) #1599
• CVE-2017-15095: Block more JDK types from polymorphic deserialization (CVE 2017-15095) #1737
• CVE-2017-17485: Block more serialization gadgets (dbcp/tomcat, spring / CVE-2017-17485) #1855

[samawarad]

Hi @cowtowncoder Thanks for updating CVE-2017-7525. Thanks for your time and support :)

[cowtowncoder]

You are welcome @samawarad .

[samawarad]

Closing. This is an abuse of GitHub discussions. Try changing Jackson version yourself. Why are we supposed to guess what impact this will have on your code?

I am sorry if asking a question is abuse of gtihub discussions. I am really not looking for impact on our code. One of contributor @cowtowncoder updated for CVE-2017-7525, which will really help people who are looking for fixed versions. Few details were not clear so raised this query.
Thanks for all of your time and support. Cheers!!