You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@camel.apache.org by David Atkins <da...@gmail.com> on 2018/04/16 11:00:06 UTC

Jackson vulnerabilities CVE-2017-17485 & CVE-2018-7489

Hello,

I've recently ran a dependency check on the camel-jackson 2.21.0 and
it appears that the version of jackson being used (2.8.10) has two
High/Severe vulnerabilities.

To fix this for camel-jackson we'll need to upgrade as follows:

CVE-2017-17485 - Jackson 2.9.3 or greater
CVE-2018-7489 - Jackson 2.9.5 or greater

I can see that the parent pom on the mainline has been upgraded to
2.9.4 (as part of spring boot 2 migration), so that covers
CVE-2017-17485 'for free'

More information available here:

https://nvd.nist.gov/vuln/detail/CVE-2017-17485
https://nvd.nist.gov/vuln/detail/CVE-2018-7489

Shall I raise a JIRA to address this (possible as two separate tickets
to track both issues?)

Thanks,

David

Re: Jackson vulnerabilities CVE-2017-17485 & CVE-2018-7489

Posted by Willem Jiang <wi...@gmail.com>.
Hi Grzegorz,

Is there any updated for this issue?
We may need a JIRA to track this kind of issue.


Willem Jiang

Blog: http://willemjiang.blogspot.com (English)
          http://jnn.iteye.com  (Chinese)
Twitter: willemjiang
Weibo: 姜宁willem

On Tue, Apr 17, 2018 at 3:04 PM, Grzegorz Grzybek <gr...@gmail.com>
wrote:

> Hello
>
>
> > It may look like Jackson has not provided CVE fixes for these reports
> > on their 2.8.x versions. That version is what is in use for Camel
> > 2.20.x and 2.21.x and therefore its more tricky to do something about
> > it. Camel users can try to switch to use Jackson 2.9.5 with their
> > Camel 2.20.x or 2.21.x as its just a matter of selecting the JARs in
> > their classpath/application.
> >
>
> (Always) remember about swagger dependencies... Swagger quite loosely
> treats semantic versioning.
> Between 1.5.17 and 1.5.18 there was jackson upgrade from 2.8.x to 2.9.x
>
> Just my heads-up that this should be checked.
>
> regards
> Grzegorz Grzybek
>
>
> > And as Jackson is also used by Spring Boot then we are trying to align
> > with the supported version of Jackson that Spring Boot uses. And Camel
> > 2.20.x and 2.21.x is using Spring Boot 1.5.x.
> >
> > And Jackson has sometimes in-compatability issues so its not always an
> > easy upgrade.
> >
> >
> >
> >
> > On Mon, Apr 16, 2018 at 1:00 PM, David Atkins <da...@gmail.com>
> > wrote:
> > > Hello,
> > >
> > > I've recently ran a dependency check on the camel-jackson 2.21.0 and
> > > it appears that the version of jackson being used (2.8.10) has two
> > > High/Severe vulnerabilities.
> > >
> > > To fix this for camel-jackson we'll need to upgrade as follows:
> > >
> > > CVE-2017-17485 - Jackson 2.9.3 or greater
> > > CVE-2018-7489 - Jackson 2.9.5 or greater
> > >
> > > I can see that the parent pom on the mainline has been upgraded to
> > > 2.9.4 (as part of spring boot 2 migration), so that covers
> > > CVE-2017-17485 'for free'
> > >
> > > More information available here:
> > >
> > > https://nvd.nist.gov/vuln/detail/CVE-2017-17485
> > > https://nvd.nist.gov/vuln/detail/CVE-2018-7489
> > >
> > > Shall I raise a JIRA to address this (possible as two separate tickets
> > > to track both issues?)
> > >
> > > Thanks,
> > >
> > > David
> >
> >
> >
> > --
> > Claus Ibsen
> > -----------------
> > http://davsclaus.com @davsclaus
> > Camel in Action 2: https://www.manning.com/ibsen2
> >
>

Re: Jackson vulnerabilities CVE-2017-17485 & CVE-2018-7489

Posted by Grzegorz Grzybek <gr...@gmail.com>.
Hello


> It may look like Jackson has not provided CVE fixes for these reports
> on their 2.8.x versions. That version is what is in use for Camel
> 2.20.x and 2.21.x and therefore its more tricky to do something about
> it. Camel users can try to switch to use Jackson 2.9.5 with their
> Camel 2.20.x or 2.21.x as its just a matter of selecting the JARs in
> their classpath/application.
>

(Always) remember about swagger dependencies... Swagger quite loosely
treats semantic versioning.
Between 1.5.17 and 1.5.18 there was jackson upgrade from 2.8.x to 2.9.x

Just my heads-up that this should be checked.

regards
Grzegorz Grzybek


> And as Jackson is also used by Spring Boot then we are trying to align
> with the supported version of Jackson that Spring Boot uses. And Camel
> 2.20.x and 2.21.x is using Spring Boot 1.5.x.
>
> And Jackson has sometimes in-compatability issues so its not always an
> easy upgrade.
>
>
>
>
> On Mon, Apr 16, 2018 at 1:00 PM, David Atkins <da...@gmail.com>
> wrote:
> > Hello,
> >
> > I've recently ran a dependency check on the camel-jackson 2.21.0 and
> > it appears that the version of jackson being used (2.8.10) has two
> > High/Severe vulnerabilities.
> >
> > To fix this for camel-jackson we'll need to upgrade as follows:
> >
> > CVE-2017-17485 - Jackson 2.9.3 or greater
> > CVE-2018-7489 - Jackson 2.9.5 or greater
> >
> > I can see that the parent pom on the mainline has been upgraded to
> > 2.9.4 (as part of spring boot 2 migration), so that covers
> > CVE-2017-17485 'for free'
> >
> > More information available here:
> >
> > https://nvd.nist.gov/vuln/detail/CVE-2017-17485
> > https://nvd.nist.gov/vuln/detail/CVE-2018-7489
> >
> > Shall I raise a JIRA to address this (possible as two separate tickets
> > to track both issues?)
> >
> > Thanks,
> >
> > David
>
>
>
> --
> Claus Ibsen
> -----------------
> http://davsclaus.com @davsclaus
> Camel in Action 2: https://www.manning.com/ibsen2
>

Re: Jackson vulnerabilities CVE-2017-17485 & CVE-2018-7489

Posted by Claus Ibsen <cl...@gmail.com>.
Hi David

Thanks for bringing this to our attention.

The 1st issue
https://nvd.nist.gov/vuln/detail/CVE-2018-7489

Seems to only be applicable if you have spring JARs on the classpath
which some Camel users may have.



The 2nd issue
https://nvd.nist.gov/vuln/detail/CVE-2018-7489

Seems to only be applicable if you have c3p0 on the classpath which we
do NOT have by default in Apache Camel.
And we have no Camel components that uses c3p0.

But we will of course upgrade to latest Jackson version on master branch.


It may look like Jackson has not provided CVE fixes for these reports
on their 2.8.x versions. That version is what is in use for Camel
2.20.x and 2.21.x and therefore its more tricky to do something about
it. Camel users can try to switch to use Jackson 2.9.5 with their
Camel 2.20.x or 2.21.x as its just a matter of selecting the JARs in
their classpath/application.

And as Jackson is also used by Spring Boot then we are trying to align
with the supported version of Jackson that Spring Boot uses. And Camel
2.20.x and 2.21.x is using Spring Boot 1.5.x.

And Jackson has sometimes in-compatability issues so its not always an
easy upgrade.




On Mon, Apr 16, 2018 at 1:00 PM, David Atkins <da...@gmail.com> wrote:
> Hello,
>
> I've recently ran a dependency check on the camel-jackson 2.21.0 and
> it appears that the version of jackson being used (2.8.10) has two
> High/Severe vulnerabilities.
>
> To fix this for camel-jackson we'll need to upgrade as follows:
>
> CVE-2017-17485 - Jackson 2.9.3 or greater
> CVE-2018-7489 - Jackson 2.9.5 or greater
>
> I can see that the parent pom on the mainline has been upgraded to
> 2.9.4 (as part of spring boot 2 migration), so that covers
> CVE-2017-17485 'for free'
>
> More information available here:
>
> https://nvd.nist.gov/vuln/detail/CVE-2017-17485
> https://nvd.nist.gov/vuln/detail/CVE-2018-7489
>
> Shall I raise a JIRA to address this (possible as two separate tickets
> to track both issues?)
>
> Thanks,
>
> David



-- 
Claus Ibsen
-----------------
http://davsclaus.com @davsclaus
Camel in Action 2: https://www.manning.com/ibsen2