Jackson-databinding module vulnerability which is packaged in ehcache

[Gouthami M]

1. What version of Ehcache you are currently using; Ehcache-2.10.1.jar
2. Add any name and version of other library or framework you use Ehcache with (e.g. Hibernate);
3. Providing JDK and OS versions maybe useful as well : JDK : 1.8, OS: Linux and windows
4. In ehcache-2.10.1.jar, I see a fasterxml-jackson-databind-module 2.3.3 dependency. There is a vulnerability on version below 2.8.0 of jackson-databind : CVE-2017-15095 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15095).

As there are significant changes in ehcache3 and we are not ready to upgrade,I would like to know if ehcache is impacted by this vulnerability of jackson. If so, how to overcome it?

Thanks,

Gouthami

[Henri Tremblay]

If you are not using the cache server, you are fine.

If you are, I will need to investigate a bit more to be conclusive.

--
You received this message because you are subscribed to the Google Groups "ehcache-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ehcache-users+unsubscribe@googlegroups.com.
To post to this group, send email to ehcach...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ehcache-users/afb01354-820a-40d1-bd2d-686b78452630%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Anthony Dahanne]

Henri, I believe he is using the ehcache 2.10.1 "fat jar", that includes the management rest agent.

Gouthami, you could at least upgrade to 2.10.4 

Then, maybe you could try to only depend on ehcache-core (https://search.maven.org/#search%7Cgav%7C1%7Cg%3A%22net.sf.ehcache.internal%22%20AND%20a%3A%22ehcache-core%22), and add missing components on demand.

Thanks,

Anthony

[Henri Tremblay]

Yes. You are right. But same answer. If you are not using (exposing) the REST agent, you are fine.

To view this discussion on the web visit https://groups.google.com/d/msgid/ehcache-users/2e9bfcee-d79d-410d-a1c3-9f683a12aca2%40googlegroups.com.

[Gouthami M]

Hi Anthony,

Is cluster configuration supported with ehcache-core 2.10.5 jar ?

Regards,
Gouthami

On Wednesday, February 21, 2018 at 5:43:59 PM UTC+5:30, Anthony Dahanne wrote:

Henri, I believe he is using the ehcache 2.10.1 "fat jar", that includes the management rest agent.

Gouthami, you could at least upgrade to 2.10.4 

Then, maybe you could try to only depend on ehcache-core (https://search.maven.org/#search%7Cgav%7C1%7Cg%3A%22net.sf.ehcache.internal%22%20AND%20a%3A%22ehcache-core%22), and add missing components on demand.

Thanks,

Anthony

Le mercredi 21 février 2018 07:07:16 UTC-5, Henri Tremblay a écrit :

If you are not using the cache server, you are fine.

If you are, I will need to investigate a bit more to be conclusive.

On 21 February 2018 at 03:13, Gouthami M <gouth...@gmail.com> wrote:

1. What version of Ehcache you are currently using; Ehcache-2.10.1.jar
2. Add any name and version of other library or framework you use Ehcache with (e.g. Hibernate);
3. Providing JDK and OS versions maybe useful as well : JDK : 1.8, OS: Linux and windows
4. In ehcache-2.10.1.jar, I see a fasterxml-jackson-databind-module 2.3.3 dependency. There is a vulnerability on version below 2.8.0 of jackson-databind : CVE-2017-15095 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15095).

As there are significant changes in ehcache3 and we are not ready to upgrade,I would like to know if ehcache is impacted by this vulnerability of jackson. If so, how to overcome it?

Thanks,

Gouthami

--
You received this message because you are subscribed to the Google Groups "ehcache-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to ehcache-user...@googlegroups.com.