Jackson deserialization vulnerability in Filr (CVE-2017-7525, CVE-2017-15095, CVE-2017-17485)

Document ID:7023098
Creation Date:14-Jun-2018
Modified Date:21-Jun-2018
- Micro Focus Products:
  Filr

Environment

Micro Focus Filr 3.3

Situation

A deserialization flaw was discovered in the jackson-databind, versions including 2.6.7.1, 2.7.9.1, 2.8.9, 2.8.10, 2.9.x through 2.9.3, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

Filr uses the jackson libraries for REST interface.

Resolution

A fix for this issue is available in the Filr 3.4 Update which updates the jackson libraries in Filr to version 2.9.4.

Additional Information

More details at:

CVE-2017-7525

CVE-2017-15095

CVE-2017-17485