[jira] [Commented] (TINKERPOP-2355) Jackson-databind version in Gremlin shaded dependency needs to be increased - introduces vulnerability issues

Sun, 29 Mar 2020 23:31:00 -0700 


    [ 
https://issues.apache.org/jira/browse/TINKERPOP-2355?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17070714#comment-17070714
 ] 

Simeon Andonov commented on TINKERPOP-2355:
-------------------------------------------

Hello Stephen,
Thank you for the quick response!

You mentioned that we have to wait for the release of databind 2.9.10.4 , but I 
think it is already available.

We are using successfully Databind 2.10.2 in the other parts of the project. It 
seems that it addresses the security vulnerabilities. Is it possible to bump to 
it in Tinkerpop or we have to wait for Databind 3.x ?

Best Regards,
Simeon

> Jackson-databind version in Gremlin shaded dependency needs to be increased  
> - introduces vulnerability issues
> --------------------------------------------------------------------------------------------------------------
>
>                 Key: TINKERPOP-2355
>                 URL: https://issues.apache.org/jira/browse/TINKERPOP-2355
>             Project: TinkerPop
>          Issue Type: Bug
>    Affects Versions: 3.4.6
>            Reporter: Simeon Andonov
>            Priority: Critical
>
> Hello colleagues,
> Encountering the following vulnerabilities during Vulas scan when Tinkerpop 
> 3.4.6 =>
>  * FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain 
> net.sf.ehcache blocking.
>  * FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain 
> xbean-reflect/JNDI blocking, as demonstrated by 
> org.apache.xbean.propertyeditor.JndiConverter.
>  * FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction 
> between serialization gadgets and typing, related to 
> org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded 
> hikari-config).
>  * FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction 
> between serialization gadgets and typing, related to 
> com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka 
> ibatis-sqlmap).
>  * FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction 
> between serialization gadgets and typing, related to 
> br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
>  
> Vulnerability Id: CVE-2019-20330
> Description: FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain 
> net.sf.ehcache blocking. 
> References: 
>  * 
> [https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9]
>  * 
> [https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f25da738ef0d49c2f3387e]
>  * 
> [https://github.com/FasterXML/jackson-databind/issues/2526]
> It seems that these issues are resolved in jackson-databind 2.10.2.
> Probably a change similar to this one 
> ([https://github.com/apache/tinkerpop/pull/1220/files]) , but applying 2.10.2 
> will resolve the vulnerabilities.
> Thanks in advance for the help!
> Best Regards,
> Simeon Andonov



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to