tinkerpop-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stephen Mallette (Jira)" <j...@apache.org>
Subject [jira] [Commented] (TINKERPOP-2355) Jackson-databind version in Gremlin shaded dependency needs to be increased - introduces vulnerability issues
Date Mon, 30 Mar 2020 11:29:00 GMT

    [ https://issues.apache.org/jira/browse/TINKERPOP-2355?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17070900#comment-17070900
] 

Stephen Mallette commented on TINKERPOP-2355:
---------------------------------------------

The most recent release I see for the 2.9.10.x line in Maven central is 2.9.10.3.

https://search.maven.org/artifact/com.fasterxml.jackson.core/jackson-databind

Am I missing something? As for 2.10.2, please see the linked: https://issues.apache.org/jira/browse/TINKERPOP-2356

> Jackson-databind version in Gremlin shaded dependency needs to be increased  - introduces
vulnerability issues
> --------------------------------------------------------------------------------------------------------------
>
>                 Key: TINKERPOP-2355
>                 URL: https://issues.apache.org/jira/browse/TINKERPOP-2355
>             Project: TinkerPop
>          Issue Type: Bug
>    Affects Versions: 3.4.6
>            Reporter: Simeon Andonov
>            Priority: Critical
>
> Hello colleagues,
> Encountering the following vulnerabilities during Vulas scan when Tinkerpop 3.4.6 =>
>  * FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.
>  * FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI
blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
>  * FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between
serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig
(aka shaded hikari-config).
>  * FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between
serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig
(aka ibatis-sqlmap).
>  * FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between
serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
>  
> Vulnerability Id: CVE-2019-20330
> Description: FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache
blocking. 
> References: 
>  * 
> [https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9]
>  * 
> [https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f25da738ef0d49c2f3387e]
>  * 
> [https://github.com/FasterXML/jackson-databind/issues/2526]
> It seems that these issues are resolved in jackson-databind 2.10.2.
> Probably a change similar to this one ([https://github.com/apache/tinkerpop/pull/1220/files])
, but applying 2.10.2 will resolve the vulnerabilities.
> Thanks in advance for the help!
> Best Regards,
> Simeon Andonov



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message