Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Jackson JSON library vulnerability CVE-2017-15095

Ethan Jackson
Ethan Jackson December 12, 2017

A vulnerability CVE-2017-15095 exists in the Jackson JSON library versions prior to 2.9.2. The recommended solution has been made to upgrade to Jackson 2.9.3.

We are currently running Jira v7.4.3#74005

Here are some of the .jar files that have been pointed out as needed to be remediation.

jackson-databind-2.3.2.jar

jackson-annotations-2.3.0.jar

jackson-core-2.3.2.jar

jackson-mapper-asl-1.9.13-atlassian-1.jar

I'm looking for remediation steps for CVE-2017-15095  but has been unsuccessful in finding any.

Answer
Watch
Like Be the first to like this
1388 views

1 answer

0 votes
somethingblue
somethingblue
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 12, 2017

Hi Ethan,


Take a look at the Atlassian Security Advisories page.  Since Jira itself is not using the affected Struts component Jira is not affected by this vulnerability outlined in CVE-2017-15095 on Apache Struts.

Let us know if you have any remaining questions.

Cheers,

Branden

View More Comments
Ethan Jackson
Ethan Jackson December 12, 2017

Thank you for the quick response Branden. Would removing these .jar files still allow for JIRA to function without issue for the end user?

JIRA was already installed on the server so I'm not really familiar with the ins and outs of it.  I'm just trying to gather a greater understanding.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events