Team,
I’m using searchgurad v6_6_5_4_24_0. In that jackson-databind-2.8.11.1 jar is been used which is vulnerable to remote code execution. Kindly update a fix for this.
Reference link : jackson-databind-2653: JNDI注入导致远程代码执行漏洞通告_admin-r꯭o꯭ot꯭的博客-CSDN博客_jackson漏洞复现
SearchGuard is not affected by this vulnerability because it does not enable polymorphic handling in Jackson, which is required for the vulnerability. Furthermore, it only processes trusted data with Jackson.
We will anyway update to the most recent version of Jackson with the next regular release version.
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.
Will be included in the next v41 release of Serch Guard