[ https://issues.apache.org/jira/browse/QPID-8136?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Keith Wall updated QPID-8136: ----------------------------- Description: CVE-2017-7525 was recently published against the Jackson-databind component. Broker-J uses the library for the purposes of the persistence of configuration and the interpreting the payloads of some network requests. Whilst Apache Qpid Broker-J distributions include a version of jackson-databind that is affected by the vulnerability, it is believed that Apache Qpid Broker-J product itself is *NOT AFFECTED* by this vulnerability. This is because Broker-J code never enables Jackson's polymorphic deserialisation features: specifically it never makes calls to Object#enableDefaultTyping(...) nor does it use TypeResolverBuilders or annotations that enable the feature. Even though it is believed the vulnerability cannot be exploited, this Jira will upgrade the dependencies of Broker-J to versions of the Jackson-databind that are not vulnerable to this issue: was:Upgrade Jackson dependencies > [Broker-J] Upgrade Jackson dependencies > --------------------------------------- > > Key: QPID-8136 > URL: https://issues.apache.org/jira/browse/QPID-8136 > Project: Qpid > Issue Type: Improvement > Components: Broker-J > Reporter: Keith Wall > Priority: Major > Fix For: qpid-java-broker-7.1.0, qpid-java-6.1.6, > qpid-java-broker-7.0.3 > > > CVE-2017-7525 was recently published against the Jackson-databind component. > Broker-J uses the library for the purposes of the persistence of > configuration and the interpreting the payloads of some network requests. > Whilst Apache Qpid Broker-J distributions include a version of > jackson-databind that is affected by the vulnerability, it is believed > that Apache Qpid Broker-J product itself is *NOT AFFECTED* by this > vulnerability. This is because Broker-J code never enables Jackson's > polymorphic deserialisation features: specifically it never makes calls to > Object#enableDefaultTyping(...) nor does it use > TypeResolverBuilders or annotations that enable the feature. > Even though it is believed the vulnerability cannot be exploited, this Jira > will upgrade the dependencies of Broker-J to versions of the Jackson-databind > that are not vulnerable to this issue: > > -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org