Hi David Thanks for bringing this to our attention.
The 1st issue https://nvd.nist.gov/vuln/detail/CVE-2018-7489 Seems to only be applicable if you have spring JARs on the classpath which some Camel users may have. The 2nd issue https://nvd.nist.gov/vuln/detail/CVE-2018-7489 Seems to only be applicable if you have c3p0 on the classpath which we do NOT have by default in Apache Camel. And we have no Camel components that uses c3p0. But we will of course upgrade to latest Jackson version on master branch. It may look like Jackson has not provided CVE fixes for these reports on their 2.8.x versions. That version is what is in use for Camel 2.20.x and 2.21.x and therefore its more tricky to do something about it. Camel users can try to switch to use Jackson 2.9.5 with their Camel 2.20.x or 2.21.x as its just a matter of selecting the JARs in their classpath/application. And as Jackson is also used by Spring Boot then we are trying to align with the supported version of Jackson that Spring Boot uses. And Camel 2.20.x and 2.21.x is using Spring Boot 1.5.x. And Jackson has sometimes in-compatability issues so its not always an easy upgrade. On Mon, Apr 16, 2018 at 1:00 PM, David Atkins <davidatkin...@gmail.com> wrote: > Hello, > > I've recently ran a dependency check on the camel-jackson 2.21.0 and > it appears that the version of jackson being used (2.8.10) has two > High/Severe vulnerabilities. > > To fix this for camel-jackson we'll need to upgrade as follows: > > CVE-2017-17485 - Jackson 2.9.3 or greater > CVE-2018-7489 - Jackson 2.9.5 or greater > > I can see that the parent pom on the mainline has been upgraded to > 2.9.4 (as part of spring boot 2 migration), so that covers > CVE-2017-17485 'for free' > > More information available here: > > https://nvd.nist.gov/vuln/detail/CVE-2017-17485 > https://nvd.nist.gov/vuln/detail/CVE-2018-7489 > > Shall I raise a JIRA to address this (possible as two separate tickets > to track both issues?) > > Thanks, > > David -- Claus Ibsen ----------------- http://davsclaus.com @davsclaus Camel in Action 2: https://www.manning.com/ibsen2
