[jira] [Commented] (BEAM-7881) Get rid of jackson to avoid the continuous flow of CVEs in Jackson

Wed, 09 Oct 2019 20:40:12 -0700 


    [ 
https://issues.apache.org/jira/browse/BEAM-7881?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16948173#comment-16948173
 ] 

Tatu Saloranta commented on BEAM-7881:
--------------------------------------

[~romain.manni-bucau] If you have not read this blog article:

[https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062]

you should. It explains why CVEs that have been filed are not relevant for most 
projects. It is true that security tools can not express conditional 
vulnerabilities well and as such claim all usage has security problems: this is 
not true.

Now looking at Beam, Default Typing is used in exactly one place:

./sdks/java/io/google-cloud-platform/src/main/java/org/apache/beam/sdk/io/gcp/bigquery/BigQueryInsertErrorCoder.java

and it is not used to process external input I think.

But perhaps more importantly, Jackson 2.10 will not be vulnerable to this class 
of CVEs, as it introduces "safe default typing" (see 
[https://medium.com/@cowtowncoder/jackson-2-10-features-cd880674d8a2).]
I think upgrade to 2.10 makes sense but it may make sense to wait until 2.10.1 
is out.
Once this upgrade is made it will be possible to add `PolymorphicTypeValidator` 
into above-mentioned class and prevent even theoretical concern of malicious 
input being crafted.

 

 

 

 

> Get rid of jackson to avoid the continuous flow of CVEs in Jackson
> ------------------------------------------------------------------
>
>                 Key: BEAM-7881
>                 URL: https://issues.apache.org/jira/browse/BEAM-7881
>             Project: Beam
>          Issue Type: Task
>          Components: sdk-java-core
>    Affects Versions: 2.14.0
>            Reporter: Romain Manni-Bucau
>            Priority: Blocker
>
> Jackson keeps having CVE on all releases of databind and transitively beam 
> sdk java core has CVE on all its releases (for the record, when writing this 
> issue you must use at least jackson-databind 2.9.9.2 but last week it was 
> 2.9.9.1 and 2.14 didn't get the fix).
> Can be neat to get rid of jackson which does not fix this issue for a very 
> long time now and just use JSON-B or another JSON impl to ensure the CVE is 
> not usable because beam is there.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to