0

I am analyzing this CVE and I came across this link: https://github.com/FasterXML/jackson-databind/issues/2334.

it states that If service has jar logback-classic in its classpath then vulnerabilitiy applies.

What is meant by this? does it mean that on the server side, this jar if exists than the CVE is exploitable? or the jar should be in classpath on server?

ethicalhacker
  • 119
  • 9
  • Doesn't matter where the JAR is if there's a vulnerability. It depends on what the exploit allows. You've not mentioned what version of Jackson you're using, but it probably shouldn't be as old as the linked issue – OneCricketeer Aug 16 '22 at 14:16
  • the version I'm using is affected by this CVE (version 2.9.8), and the cost of upgrading it is very high, so I'm trying to assess if my app is exploitable for this CVE, it happened before that I used libraries affected by CVEs, but not exploitable in my case. This why I'm analyzing this CVE, so maybe having an accurate answer for my question will help me save weeks of work. – ethicalhacker Aug 16 '22 at 14:28
  • @OneCricketeer did you check my last comment? – ethicalhacker Aug 17 '22 at 14:44
  • I don't have an answer other than to use a vulnerability scanner... And only you/your team know how the library is used, which will determine how it would be exploitable... For example, if no-one can access the server instance where the code is running, and there is no other remote-execution vulnerability, then you already have some protection... Jackson 2.9.8 seems to be almost 4 years old, and has [over 50 vulnerabilities](https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.9.8) so you should definitely try to upgrade it – OneCricketeer Aug 17 '22 at 21:03
  • I get your point, just how I know if logback-classic is in classpath on the server running the java app? – ethicalhacker Aug 18 '22 at 07:42
  • If you've packaged the app using Maven, use verbose dependency tree output and grep for it – OneCricketeer Aug 18 '22 at 15:17

0 Answers0