Il Dom 23 Feb 2020, 17:12 Patrick Hunt <[email protected]> ha scritto:
> On Sun, Feb 23, 2020 at 1:09 AM Enrico Olivelli <[email protected]> > wrote: > > > Hi, > > we are using a library, Jackson Databind, to serialize JSON objects on > > the HTTP Admin Endpoint. > > > > Unfortunately that library is very ofter subject to CVEs due to the > > intrinsic nature of the library, the fact that is really very common > > and in particular to the fact that it has many deserialization > > "gadgets" (that we are not using). > > > > Usually we are never affected by those CVEs because we are using only > > Jackson core features and we are using it only in order to serialize > > data (and only very simple beans). > > > > Some more context here: > > > > > > > https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 > > > > > > We want OWASP dependency checker to be always happy with our releases. > > I think this is very good. > > But we are spending lot of time, especially in blocking releases due > > to these fact. > > > > I am now proposing to drop this dependency and use some other simpler > > JSON encoding library. > > > > Thoughts ? > > > > > +1 - makes sense to me. Can we find something with a permissive license, > that's minimal, has a history of success/support and will minimize impact? > What about this minimal version of Jackson? https://github.com/FasterXML/jackson-jr Enrico > > Thanks, > > Patrick > > > > Enrico > > >
