Jackson deserialization vulnerability in Filr (CVE-2017-7525, CVE-2017-15095, CVE-2017-17485)

  • 7023098
  • 14-Jun-2018
  • 21-Jun-2018

Environment

Micro Focus Filr 3.3

Situation

A deserialization flaw was discovered in the jackson-databind, versions including 2.6.7.1, 2.7.9.1, 2.8.9, 2.8.10, 2.9.x through 2.9.3, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

Filr uses the jackson libraries for REST interface.

Resolution

A fix for this issue is available in the Filr 3.4 Update which updates the jackson libraries in Filr to version 2.9.4.

Additional Information

Feedback service temporarily unavailable. For content questions or problems, please contact Support.