jackson-databind deserialisation vulnerability - cve-2017-7525 and cve-2017-15095

Dear CaféX customers and partners

cve-2017-7525 and cve-2017-15095 describes a deserialization flaw in jackson-databind which could allow an unauthenticated user to perform code execution by sending a maliciously crafted input to the readValue method of the ObjectMapper.

Whilst CaféX does use jackson-databind for object deserialisation in many of its products none enable global polymorphic deserialization via enableDefaultTyping(...). Therefore there are no execution paths that would expose this vulnerability in any CaféX products in the field today.

However, given that CaféX ships vulnerable versions of jackson-databind we plan on moving to the latest available version of jackson-databind where possible to mitigate cve-2017-7525. Where this is not possible we will manually patch jackson-databind with the fixes documented by BZ 1462702. Versions of FAS, LA/FCSDK & SA should be available by the end of Jan 2018 - please contact support@cafex.com for details at that time.

We will continue to monitor cve-2017-15095 and plan to move products to using the version of jackson-databind containing a fix where possible or manually patch.

If you have any questions please contact CaféX support via support@cafex.com.

Regards CaféX support team.

 

Update 5th Jan 2018

CaféX has released the following to address the vulnerable jackson library versions:

  • FAS 2.5.16
  • FCSDK 3.3.2

We are still on target to make available a version of LA with latest jackson libraries around the end of January 2018.   

If you have any questions please contact CaféX support via support@cafex.com.

 

 

 

 

 

 

Have more questions? Submit a request

Comments

Powered by Zendesk