Since this has been asked a few times by users, here is what I know about security vulnerability id'd as "CVE-2016-3720" (reported by https://access.redhat.com/security/cve/CVE-2016-3720 and https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3720).
Reported (and resolved) problem is that Jackson XML mapper by default constructs XMLInputFactory (Stax factory for creating XML parsers and generators) as-is, without changing JDK- (and Stax specification) provided defaults. These include expansion of so-called general parsed entities: entities declared in DTD subset (internal or external), things like "&myStuff;", which can further include external content via URL references. This problem has been reported for many other libraries recently; I don't know of actual attacks, but the potential vulnerability itself is quite widely known. Fix here is to disable extension by default; users may still enable it should wish to; especially if they add custom resolver to validate references to external resources. Fix was included in Jackson 2.7.4 version, and upgrade is recommended. Upcoming 2.8.0 will have the fix as well. For older versions you can still change code to explicit construct and configure XMLInputFactory, to get the same result: we have no plans for full releases of older versions. One unfortunate thing here is that I do not know if or how to get information about fixed-in version propagated so that it would be available via CVE report GUI itself. As things are, it may look like this problem is unresolved which is not the case. If anyone knows who could help, I'd be interested. I have reached out to Red Hat's security team (who are aware of the fix) so perhaps at least their repository can have additional information. -+ Tatu +- -- You received this message because you are subscribed to the Google Groups "jackson-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
