tinkerpop-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Simeon Andonov (Jira)" <j...@apache.org>
Subject [jira] [Commented] (TINKERPOP-2355) Jackson-databind version in Gremlin shaded dependency needs to be increased - introduces vulnerability issues
Date Mon, 30 Mar 2020 06:30:00 GMT

    [ https://issues.apache.org/jira/browse/TINKERPOP-2355?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17070714#comment-17070714
] 

Simeon Andonov commented on TINKERPOP-2355:
-------------------------------------------

Hello Stephen,
Thank you for the quick response!

You mentioned that we have to wait for the release of databind 2.9.10.4 , but I think it is
already available.

We are using successfully Databind 2.10.2 in the other parts of the project. It seems that
it addresses the security vulnerabilities. Is it possible to bump to it in Tinkerpop or we
have to wait for Databind 3.x ?

Best Regards,
Simeon

> Jackson-databind version in Gremlin shaded dependency needs to be increased  - introduces
vulnerability issues
> --------------------------------------------------------------------------------------------------------------
>
>                 Key: TINKERPOP-2355
>                 URL: https://issues.apache.org/jira/browse/TINKERPOP-2355
>             Project: TinkerPop
>          Issue Type: Bug
>    Affects Versions: 3.4.6
>            Reporter: Simeon Andonov
>            Priority: Critical
>
> Hello colleagues,
> Encountering the following vulnerabilities during Vulas scan when Tinkerpop 3.4.6 =>
>  * FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.
>  * FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI
blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
>  * FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between
serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig
(aka shaded hikari-config).
>  * FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between
serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig
(aka ibatis-sqlmap).
>  * FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between
serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
>  
> Vulnerability Id: CVE-2019-20330
> Description: FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache
blocking. 
> References: 
>  * 
> [https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9]
>  * 
> [https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f25da738ef0d49c2f3387e]
>  * 
> [https://github.com/FasterXML/jackson-databind/issues/2526]
> It seems that these issues are resolved in jackson-databind 2.10.2.
> Probably a change similar to this one ([https://github.com/apache/tinkerpop/pull/1220/files])
, but applying 2.10.2 will resolve the vulnerabilities.
> Thanks in advance for the help!
> Best Regards,
> Simeon Andonov



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message