Dear Live Assist Customers and Partners,
cve-2017-7525 and cve-2017-15095 describe a deserialization flaw in jackson-databind which could allow an unauthenticated user to perform code execution by sending a maliciously crafted input to the readValue method of the ObjectMapper.
Whilst Live Assist does use jackson-databind for object deserialisation in many of its products none enable global polymorphic deserialization via enableDefaultTyping(...). Therefore there are no execution paths that would expose this vulnerability in any CaféX products in the field today.
However, given that Live Assist ships vulnerable versions of jackson-databind we plan on moving to the latest available version of jackson-databind where possible to mitigate cve-2017-7525. Where this is not possible we will manually patch jackson-databind with the fixes documented by BZ 1462702. Versions of FAS, LA/FCSDK & SA should be available by the end of Jan 2018 - please contact Customer Support for details at that time.
We will continue to monitor cve-2017-15095 and plan to move products to using the version of jackson-databind containing a fix where possible or manually patch.
If you have any questions please contact CBA support via Customer Support.
Regards CBA support team.
Update 5th Jan 2018
CaféX has released the following to address the vulnerable jackson library versions:
- FAS 2.5.16
- FCSDK 3.3.2
We are still on target to make available a version of LA with latest jackson libraries around the end of January 2018.
Update 29th Jan 2018
Jackson 2.9.4 was released 24th Jan 2018 addressing cve-2017-15095. CBA will release versions of FCSDK, LA and SA built against this version around 12th February 2018.
Having analysed the changes applied to resolve #1855 we can confirm that FAS 2.5.16 is patch to the level required to mitigate cve-2017-15095.
Update 22nd Feb 2018
The following product versions are available from CBA:
- FAS 2.5.16
- FCSDK 3.3.4
- Live Assist 1.57
- Supervisor Assist 16.0
These versions address the following vulnerabilities:
If you have any questions please contact CBA support via Customer Support.
Comments
0 comments
Please sign in to leave a comment.