A vulnerability CVE-2017-15095 exists in the Jackson JSON library versions prior to 2.9.2. The recommended solution has been made to upgrade to Jackson 2.9.3.
We are currently running Jira v7.4.3#74005
Here are some of the .jar files that have been pointed out as needed to be remediation.
jackson-databind-2.3.2.jar
jackson-annotations-2.3.0.jar
jackson-core-2.3.2.jar
jackson-mapper-asl-1.9.13-atlassian-1.jar
I'm looking for remediation steps for CVE-2017-15095 but has been unsuccessful in finding any.
Hi Ethan,
Take a look at the Atlassian Security Advisories page. Since Jira itself is not using the affected Struts component Jira is not affected by this vulnerability outlined in CVE-2017-15095 on Apache Struts.
Let us know if you have any remaining questions.
Cheers,
Branden
Thank you for the quick response Branden. Would removing these .jar files still allow for JIRA to function without issue for the end user?
JIRA was already installed on the server so I'm not really familiar with the ins and outs of it. I'm just trying to gather a greater understanding.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.