[jira] [Updated] (QPID-8136) [Broker-J] Upgrade Jackson dependencies

Tue, 20 Mar 2018 05:45:31 -0700 

     [ 
https://issues.apache.org/jira/browse/QPID-8136?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Keith Wall updated QPID-8136:
-----------------------------
    Description: 
CVE-2017-7525 was recently published against the Jackson-databind component.    
Broker-J uses the library for the purposes of the persistence of configuration 
and the interpreting the payloads of some network requests.   

Whilst Apache Qpid Broker-J distributions include a version of jackson-databind 
that is affected by the vulnerability, it is believed
that Apache Qpid Broker-J product itself is *NOT AFFECTED* by this 
vulnerability.  This is because Broker-J code never enables Jackson's
polymorphic deserialisation features: specifically it never makes calls to 
Object#enableDefaultTyping(...) nor does it use
TypeResolverBuilders or annotations that enable the feature.

Even though it is believed the vulnerability cannot be exploited, this Jira 
will upgrade the dependencies of Broker-J to versions of the Jackson-databind 
that are not vulnerable to this issue:

 

 

  was:Upgrade Jackson dependencies


> [Broker-J] Upgrade Jackson dependencies
> ---------------------------------------
>
>                 Key: QPID-8136
>                 URL: https://issues.apache.org/jira/browse/QPID-8136
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Broker-J
>            Reporter: Keith Wall
>            Priority: Major
>             Fix For: qpid-java-broker-7.1.0, qpid-java-6.1.6, 
> qpid-java-broker-7.0.3
>
>
> CVE-2017-7525 was recently published against the Jackson-databind component.  
>   Broker-J uses the library for the purposes of the persistence of 
> configuration and the interpreting the payloads of some network requests.   
> Whilst Apache Qpid Broker-J distributions include a version of 
> jackson-databind that is affected by the vulnerability, it is believed
> that Apache Qpid Broker-J product itself is *NOT AFFECTED* by this 
> vulnerability.  This is because Broker-J code never enables Jackson's
> polymorphic deserialisation features: specifically it never makes calls to 
> Object#enableDefaultTyping(...) nor does it use
> TypeResolverBuilders or annotations that enable the feature.
> Even though it is believed the vulnerability cannot be exploited, this Jira 
> will upgrade the dependencies of Broker-J to versions of the Jackson-databind 
> that are not vulnerable to this issue:
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

Reply via email to