Reflection for Secure IT Gateway 1.1 SP1 (188.8.131.528)
Reflection ZFE 2.2.2 or earlier
Host Access Management and Security Server (MSS) 12.4.14 or earlier
Certain versions of the Jackson library (jackson-databind) allow unauthenticated remote code execution (RCE), exploitable by maliciously crafted JSON input.
This issue is resolved in new product releases that include an updated Jackson library (version 184.108.40.206 and higher, 2.9.5 and higher). Product updates are available to maintained customers from the Downloads website:
- Reflection for Secure IT: Issue is resolved beginning in product version 1.1 SP1 U1 (220.127.116.117), released April 2018.
- Reflection ZFE: Issue is resolved beginning in version 2.2.3, released May 2018, which includes Host Access Management and Security Server 12.4.15.006 with Jackson library version 2.9.5.
On 30-May-2018, this published document contained incorrect affected version information; it was corrected later the same day.