tinkerpop-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stephen Mallette (Jira)" <j...@apache.org>
Subject [jira] [Updated] (TINKERPOP-2355) Jackson-databind version in Gremlin shaded dependency needs to be increased - introduces vulnerability issues
Date Fri, 27 Mar 2020 14:18:00 GMT

     [ https://issues.apache.org/jira/browse/TINKERPOP-2355?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Stephen Mallette updated TINKERPOP-2355:
----------------------------------------
    Labels:   (was: dependencies security)

Thanks. We're constantly upgrading jackson for this sort of thing (as is everyone). I think
we will look to stay on the 2.9.x release line for 3.3.x and 3.4.x, but perhaps bump to databind
3.x for TInkerPop 3.5.0. I've bumped to databind 2.9.10.3 for now (and published 3.3.11, 3.4.7,
3.5.0 SNAPSHOTs) 

https://github.com/apache/tinkerpop/commit/bc7c4304dc23b5a17a6d09b75cc7aba5a01b88e1

but will not close this issue until 2.9.10.4 releases (or we release..whichever comes first).

> Jackson-databind version in Gremlin shaded dependency needs to be increased  - introduces
vulnerability issues
> --------------------------------------------------------------------------------------------------------------
>
>                 Key: TINKERPOP-2355
>                 URL: https://issues.apache.org/jira/browse/TINKERPOP-2355
>             Project: TinkerPop
>          Issue Type: Bug
>    Affects Versions: 3.4.6
>            Reporter: Simeon Andonov
>            Priority: Critical
>
> Hello colleagues,
> Encountering the following vulnerabilities during Vulas scan when Tinkerpop 3.4.6 =>
>  * FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.
>  * FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI
blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
>  * FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between
serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig
(aka shaded hikari-config).
>  * FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between
serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig
(aka ibatis-sqlmap).
>  * FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between
serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
>  
> Vulnerability Id: CVE-2019-20330
> Description: FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache
blocking. 
> References: 
>  * 
> [https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9]
>  * 
> [https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f25da738ef0d49c2f3387e]
>  * 
> [https://github.com/FasterXML/jackson-databind/issues/2526]
> It seems that these issues are resolved in jackson-databind 2.10.2.
> Probably a change similar to this one ([https://github.com/apache/tinkerpop/pull/1220/files])
, but applying 2.10.2 will resolve the vulnerabilities.
> Thanks in advance for the help!
> Best Regards,
> Simeon Andonov



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message