jackson-databind deserialisation vulnerability - cve-2017-7525 and cve-2017-15095

Dear CaféX customers and partners

cve-2017-7525 and cve-2017-15095 describes a deserialization flaw in jackson-databind which could allow an unauthenticated user to perform code execution by sending a maliciously crafted input to the readValue method of the ObjectMapper.

Whilst CaféX does use jackson-databind for object deserialisation in many of its products none enable global polymorphic deserialization via enableDefaultTyping(...). Therefore there are no execution paths that would expose this vulnerability in any CaféX products in the field today.

However, given that CaféX ships vulnerable versions of jackson-databind we plan on moving to the latest available version of jackson-databind where possible to mitigate cve-2017-7525. Where this is not possible we will manually patch jackson-databind with the fixes documented by BZ 1462702. Versions of FAS, LA/FCSDK & SA should be available by the end of Jan 2018 - please contact support@cafex.com for details at that time.

We will continue to monitor cve-2017-15095 and plan to move products to using the version of jackson-databind containing a fix where possible or manually patch.

If you have any questions please contact CaféX support via support@cafex.com.

Regards CaféX support team.

 

Update 5th Jan 2018

CaféX has released the following to address the vulnerable jackson library versions:

  • FAS 2.5.16
  • FCSDK 3.3.2

We are still on target to make available a version of LA with latest jackson libraries around the end of January 2018.   

 

Update 29th Jan 2018 

Jackson 2.9.4 was released 24th Jan 2018 addressing cve-2017-15095. CaféX will release versions of FCSDK, LA and SA built against this version around 12th February 2018.

Having analysed the changes applied to resolve #1855 we can confirm that FAS 2.5.16 is patch to the level required to mitigate cve-2017-15095

 

Update 22nd Feb 2018

The following product versions are available from CaféX:

  • FAS 2.5.16
  • FCSDK 3.3.4
  • Live Assist 1.57
  • Supervisor Assist 16.0

These versions address the following vulnerabilities:

If you have any questions please contact CaféX support via support@cafex.com.

 

 

 

Have more questions? Submit a request

Comments