From dev-return-30458-apmail-tinkerpop-dev-archive=tinkerpop.apache.org@tinkerpop.apache.org Fri Mar 27 14:18:03 2020 Return-Path: X-Original-To: apmail-tinkerpop-dev-archive@minotaur.apache.org Delivered-To: apmail-tinkerpop-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by minotaur.apache.org (Postfix) with SMTP id D24CD19BD8 for ; Fri, 27 Mar 2020 14:18:02 +0000 (UTC) Received: (qmail 14589 invoked by uid 500); 27 Mar 2020 14:18:02 -0000 Delivered-To: apmail-tinkerpop-dev-archive@tinkerpop.apache.org Received: (qmail 14564 invoked by uid 500); 27 Mar 2020 14:18:02 -0000 Mailing-List: contact dev-help@tinkerpop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@tinkerpop.apache.org Delivered-To: mailing list dev@tinkerpop.apache.org Received: (qmail 14522 invoked by uid 99); 27 Mar 2020 14:18:02 -0000 Received: from mailrelay1-us-west.apache.org (HELO mailrelay1-us-west.apache.org) (209.188.14.139) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 27 Mar 2020 14:18:02 +0000 Received: from jira-he-de.apache.org (static.172.67.40.188.clients.your-server.de [188.40.67.172]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 69CD1E30F5 for ; Fri, 27 Mar 2020 14:18:01 +0000 (UTC) Received: from jira-he-de.apache.org (localhost.localdomain [127.0.0.1]) by jira-he-de.apache.org (ASF Mail Server at jira-he-de.apache.org) with ESMTP id 32BBD7806CB for ; Fri, 27 Mar 2020 14:18:00 +0000 (UTC) Date: Fri, 27 Mar 2020 14:18:00 +0000 (UTC) From: "Stephen Mallette (Jira)" To: dev@tinkerpop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (TINKERPOP-2355) Jackson-databind version in Gremlin shaded dependency needs to be increased - introduces vulnerability issues MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/TINKERPOP-2355?page=3Dcom.atla= ssian.jira.plugin.system.issuetabpanels:all-tabpanel ] Stephen Mallette updated TINKERPOP-2355: ---------------------------------------- Labels: (was: dependencies security) Thanks. We're constantly upgrading jackson for this sort of thing (as is ev= eryone). I think we will look to stay on the 2.9.x release line for 3.3.x a= nd 3.4.x, but perhaps bump to databind 3.x for TInkerPop 3.5.0. I've bumped= to databind 2.9.10.3 for now (and published 3.3.11, 3.4.7, 3.5.0 SNAPSHOTs= )=20 https://github.com/apache/tinkerpop/commit/bc7c4304dc23b5a17a6d09b75cc7aba5= a01b88e1 but will not close this issue until 2.9.10.4 releases (or we release..which= ever comes first). > Jackson-databind version in Gremlin shaded dependency needs to be increas= ed - introduces vulnerability issues > -------------------------------------------------------------------------= ------------------------------------- > > Key: TINKERPOP-2355 > URL: https://issues.apache.org/jira/browse/TINKERPOP-2355 > Project: TinkerPop > Issue Type: Bug > Affects Versions: 3.4.6 > Reporter: Simeon Andonov > Priority: Critical > > Hello colleagues, > Encountering the following vulnerabilities during Vulas scan when Tinkerp= op 3.4.6 =3D> > * FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.eh= cache blocking. > * FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-= reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.J= ndiConverter. > * FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact= ion between serialization gadgets and typing, related to org.apache.hadoop.= shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config). > * FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact= ion between serialization gadgets and typing, related to com.ibatis.sqlmap.= engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap). > * FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact= ion between serialization gadgets and typing, related to br.com.anteros.dbc= p.AnterosDBCPConfig (aka anteros-core). > =C2=A0 > Vulnerability Id:=C2=A0CVE-2019-20330 > Description:=C2=A0FasterXML jackson-databind 2.x before 2.9.10.2 lacks ce= rtain net.sf.ehcache blocking.=20 > References:=C2=A0 > *=20 > [https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9] > *=20 > [https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f= 25da738ef0d49c2f3387e] > *=20 > [https://github.com/FasterXML/jackson-databind/issues/2526] > It seems that these issues are resolved in jackson-databind 2.10.2. > Probably a change similar to this one ([https://github.com/apache/tinkerp= op/pull/1220/files]) , but applying 2.10.2 will resolve the vulnerabilities= . > Thanks in advance for the help! > Best Regards, > Simeon Andonov -- This message was sent by Atlassian Jira (v8.3.4#803005)