[jira] [Commented] (BEAM-7881) Get rid of jackson to avoid the continuous flow of CVEs in Jackson
[ https://issues.apache.org/jira/browse/BEAM-7881?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16989414#comment-16989414 ] Romain Manni-Bucau commented on BEAM-7881: -- I will just highlight that the 0day issue was due to the presence of jars, not their feature activation and that beam does not own jackson version but the runner does. So best beam can do is to decoralate itself from such libs IMHO. Now if the community does not care, please just close the ticket, this is no more a blocker for me. > Get rid of jackson to avoid the continuous flow of CVEs in Jackson > -- > > Key: BEAM-7881 > URL: https://issues.apache.org/jira/browse/BEAM-7881 > Project: Beam > Issue Type: Task > Components: sdk-java-core >Affects Versions: 2.14.0 >Reporter: Romain Manni-Bucau >Priority: Blocker > > Jackson keeps having CVE on all releases of databind and transitively beam > sdk java core has CVE on all its releases (for the record, when writing this > issue you must use at least jackson-databind 2.9.9.2 but last week it was > 2.9.9.1 and 2.14 didn't get the fix). > Can be neat to get rid of jackson which does not fix this issue for a very > long time now and just use JSON-B or another JSON impl to ensure the CVE is > not usable because beam is there. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (BEAM-7881) Get rid of jackson to avoid the continuous flow of CVEs in Jackson
[ https://issues.apache.org/jira/browse/BEAM-7881?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16989267#comment-16989267 ] Tatu Saloranta commented on BEAM-7881: -- [~romain.manni-bucau] I am sorry but I am not sure I understand the points. But the fact is that the stream of CVEs will stop with 2.10, and with default settings Jackson does not have vulnerabilities regarding polymorphic typing. If user code explicitly enables use of unsafe features that is no different from custom code opening security holes by any other means – if code execution is allowed, framework can not do much to try to prevent self-inflicted problems. > Get rid of jackson to avoid the continuous flow of CVEs in Jackson > -- > > Key: BEAM-7881 > URL: https://issues.apache.org/jira/browse/BEAM-7881 > Project: Beam > Issue Type: Task > Components: sdk-java-core >Affects Versions: 2.14.0 >Reporter: Romain Manni-Bucau >Priority: Blocker > > Jackson keeps having CVE on all releases of databind and transitively beam > sdk java core has CVE on all its releases (for the record, when writing this > issue you must use at least jackson-databind 2.9.9.2 but last week it was > 2.9.9.1 and 2.14 didn't get the fix). > Can be neat to get rid of jackson which does not fix this issue for a very > long time now and just use JSON-B or another JSON impl to ensure the CVE is > not usable because beam is there. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (BEAM-7881) Get rid of jackson to avoid the continuous flow of CVEs in Jackson
[ https://issues.apache.org/jira/browse/BEAM-7881?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16948204#comment-16948204 ] Romain Manni-Bucau commented on BEAM-7881: -- Well I dont really panic but I am a bkt tired of that issue. You need to consider multiple points on that: # Jackson alone is in better shape and does require an explicit list of *classnames* if the feature is activated - note it is not only what was done # Projects cant review all usages each time an issue is found so it is expected to be CVE free anyway # Jackson still enables to exploits the issue by its too user friendly config # Beam must also ensure there is no issue in all possible usable runner stacks # Most of beam code can be exploited from an endpoint or external system by design even if indirected (all is not just cronned ;)) # Beam is often coupled with other libs which can exploit that so not having it is more drastic but efficient and saves investigations for each release which is very costly for end users for literally no gain > Get rid of jackson to avoid the continuous flow of CVEs in Jackson > -- > > Key: BEAM-7881 > URL: https://issues.apache.org/jira/browse/BEAM-7881 > Project: Beam > Issue Type: Task > Components: sdk-java-core >Affects Versions: 2.14.0 >Reporter: Romain Manni-Bucau >Priority: Blocker > > Jackson keeps having CVE on all releases of databind and transitively beam > sdk java core has CVE on all its releases (for the record, when writing this > issue you must use at least jackson-databind 2.9.9.2 but last week it was > 2.9.9.1 and 2.14 didn't get the fix). > Can be neat to get rid of jackson which does not fix this issue for a very > long time now and just use JSON-B or another JSON impl to ensure the CVE is > not usable because beam is there. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (BEAM-7881) Get rid of jackson to avoid the continuous flow of CVEs in Jackson
[ https://issues.apache.org/jira/browse/BEAM-7881?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16948173#comment-16948173 ] Tatu Saloranta commented on BEAM-7881: -- [~romain.manni-bucau] If you have not read this blog article: [https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062] you should. It explains why CVEs that have been filed are not relevant for most projects. It is true that security tools can not express conditional vulnerabilities well and as such claim all usage has security problems: this is not true. Now looking at Beam, Default Typing is used in exactly one place: ./sdks/java/io/google-cloud-platform/src/main/java/org/apache/beam/sdk/io/gcp/bigquery/BigQueryInsertErrorCoder.java and it is not used to process external input I think. But perhaps more importantly, Jackson 2.10 will not be vulnerable to this class of CVEs, as it introduces "safe default typing" (see [https://medium.com/@cowtowncoder/jackson-2-10-features-cd880674d8a2).] I think upgrade to 2.10 makes sense but it may make sense to wait until 2.10.1 is out. Once this upgrade is made it will be possible to add `PolymorphicTypeValidator` into above-mentioned class and prevent even theoretical concern of malicious input being crafted. > Get rid of jackson to avoid the continuous flow of CVEs in Jackson > -- > > Key: BEAM-7881 > URL: https://issues.apache.org/jira/browse/BEAM-7881 > Project: Beam > Issue Type: Task > Components: sdk-java-core >Affects Versions: 2.14.0 >Reporter: Romain Manni-Bucau >Priority: Blocker > > Jackson keeps having CVE on all releases of databind and transitively beam > sdk java core has CVE on all its releases (for the record, when writing this > issue you must use at least jackson-databind 2.9.9.2 but last week it was > 2.9.9.1 and 2.14 didn't get the fix). > Can be neat to get rid of jackson which does not fix this issue for a very > long time now and just use JSON-B or another JSON impl to ensure the CVE is > not usable because beam is there. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (BEAM-7881) Get rid of jackson to avoid the continuous flow of CVEs in Jackson
[ https://issues.apache.org/jira/browse/BEAM-7881?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16934747#comment-16934747 ] Romain Manni-Bucau commented on BEAM-7881: -- Up, the lack of careness of security by jackson is a real concern which should be addressed IMHO. Any hope to get it fixed soon? > Get rid of jackson to avoid the continuous flow of CVEs in Jackson > -- > > Key: BEAM-7881 > URL: https://issues.apache.org/jira/browse/BEAM-7881 > Project: Beam > Issue Type: Task > Components: sdk-java-core >Affects Versions: 2.14.0 >Reporter: Romain Manni-Bucau >Priority: Blocker > > Jackson keeps having CVE on all releases of databind and transitively beam > sdk java core has CVE on all its releases (for the record, when writing this > issue you must use at least jackson-databind 2.9.9.2 but last week it was > 2.9.9.1 and 2.14 didn't get the fix). > Can be neat to get rid of jackson which does not fix this issue for a very > long time now and just use JSON-B or another JSON impl to ensure the CVE is > not usable because beam is there. -- This message was sent by Atlassian Jira (v8.3.4#803005)