Simeon Andonov created TINKERPOP-2355:
-----------------------------------------
Summary: Jackson-databind version in Gremlin shaded dependency
needs to be increased - introduces vulnerability issues
Key: TINKERPOP-2355
URL: https://issues.apache.org/jira/browse/TINKERPOP-2355
Project: TinkerPop
Issue Type: Bug
Affects Versions: 3.4.6
Reporter: Simeon Andonov
Hello colleagues,
Encountering the following vulnerabilities during Vulas scan when Tinkerpop
3.4.6 =>
* FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache
blocking.
* FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain
xbean-reflect/JNDI blocking, as demonstrated by
org.apache.xbean.propertyeditor.JndiConverter.
* FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction
between serialization gadgets and typing, related to
org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded
hikari-config).
* FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction
between serialization gadgets and typing, related to
com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka
ibatis-sqlmap).
* FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction
between serialization gadgets and typing, related to
br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
Vulnerability Id: CVE-2019-20330
Description: FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain
net.sf.ehcache blocking.
References:
*
[https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9]
*
[https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f25da738ef0d49c2f3387e]
*
[https://github.com/FasterXML/jackson-databind/issues/2526]
It seems that these issues are resolved in jackson-databind 2.10.2.
Probably a change similar to this one
([https://github.com/apache/tinkerpop/pull/1220/files]) , but applying 2.10.2
will resolve the vulnerabilities.
Thanks in advance for the help!
Best Regards,
Simeon Andonov
--
This message was sent by Atlassian Jira
(v8.3.4#803005)