[jira] [Updated] (TINKERPOP-2355) Jackson-databind version in Gremlin shaded dependency needs to be increased - introduces vulnerability issues

Mon, 06 Apr 2020 04:25:26 -0700 


     [ 
https://issues.apache.org/jira/browse/TINKERPOP-2355?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Stephen Mallette updated TINKERPOP-2355:
----------------------------------------
    Component/s: build-release

> Jackson-databind version in Gremlin shaded dependency needs to be increased  
> - introduces vulnerability issues
> --------------------------------------------------------------------------------------------------------------
>
>                 Key: TINKERPOP-2355
>                 URL: https://issues.apache.org/jira/browse/TINKERPOP-2355
>             Project: TinkerPop
>          Issue Type: Bug
>          Components: build-release
>    Affects Versions: 3.4.6
>            Reporter: Simeon Andonov
>            Priority: Critical
>
> Hello colleagues,
> Encountering the following vulnerabilities during Vulas scan when Tinkerpop 
> 3.4.6 =>
>  * FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain 
> net.sf.ehcache blocking.
>  * FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain 
> xbean-reflect/JNDI blocking, as demonstrated by 
> org.apache.xbean.propertyeditor.JndiConverter.
>  * FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction 
> between serialization gadgets and typing, related to 
> org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded 
> hikari-config).
>  * FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction 
> between serialization gadgets and typing, related to 
> com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka 
> ibatis-sqlmap).
>  * FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction 
> between serialization gadgets and typing, related to 
> br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
>  
> Vulnerability Id: CVE-2019-20330
> Description: FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain 
> net.sf.ehcache blocking. 
> References: 
>  * 
> [https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9]
>  * 
> [https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f25da738ef0d49c2f3387e]
>  * 
> [https://github.com/FasterXML/jackson-databind/issues/2526]
> It seems that these issues are resolved in jackson-databind 2.10.2.
> Probably a change similar to this one 
> ([https://github.com/apache/tinkerpop/pull/1220/files]) , but applying 2.10.2 
> will resolve the vulnerabilities.
> Thanks in advance for the help!
> Best Regards,
> Simeon Andonov



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to