cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tatu Saloranta (Jira)" <j...@apache.org>
Subject [jira] [Commented] (CASSANDRA-16851) Update from Jackson 2.9 to 2.12
Date Wed, 18 Aug 2021 18:31:00 GMT

    [ https://issues.apache.org/jira/browse/CASSANDRA-16851?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17401298#comment-17401298
] 

Tatu Saloranta commented on CASSANDRA-16851:
--------------------------------------------

Security aspect wrt CVE is probably a good one regarding move from 2.9 to even just 2.10 –
practically all Jackson CVEs for past 2.5 years were for polymorphic deserialization and are
not applicable to 2.10 or beyond.
While these CVEs were already not applicable to Cassandra usage (as per [https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062),]
vuln tracking tools are very simplistic and cannot really express something that is only applicable
to specific usage scenarios, and will happily indicate Cassandra requiring update to latest
Jackson 2.9 patch.

Or, TL;DNR; moving out of 2.9 will stop any new jackson polymorphic deser CVEs.
This would probably be nice for C* 3.x as well as 4.x.
Choice of Jackson dependency to use can also be different between 3.x and 4.x, although with
relatively simple usage it is probably simpler from support perspective to update both to
Jackson 2.12.

 

> Update from Jackson 2.9 to 2.12
> -------------------------------
>
>                 Key: CASSANDRA-16851
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-16851
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Dependencies
>            Reporter: Tatu Saloranta
>            Assignee: Tatu Saloranta
>            Priority: Normal
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> Given that Jackson 2.9 support has ended, it would be good to move at least to the next
minor version (2.10, patch 2.10.5) or later – latest stable being 2.12.4.
>  I can test to see if anything breaks, but looking at existing Jackson usage there shouldn't
be many issues.
> Assuming upgrade is acceptable there's the question of which branches to apply it to;
I will first test it against 4.0.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org


Mime
View raw message