You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tinkerpop.apache.org by "Stephen Mallette (Jira)" <ji...@apache.org> on 2020/03/27 14:18:00 UTC
[jira] [Updated] (TINKERPOP-2355) Jackson-databind version in
Gremlin shaded dependency needs to be increased - introduces vulnerability
issues
[ https://issues.apache.org/jira/browse/TINKERPOP-2355?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Stephen Mallette updated TINKERPOP-2355:
----------------------------------------
Labels: (was: dependencies security)
Thanks. We're constantly upgrading jackson for this sort of thing (as is everyone). I think we will look to stay on the 2.9.x release line for 3.3.x and 3.4.x, but perhaps bump to databind 3.x for TInkerPop 3.5.0. I've bumped to databind 2.9.10.3 for now (and published 3.3.11, 3.4.7, 3.5.0 SNAPSHOTs)
https://github.com/apache/tinkerpop/commit/bc7c4304dc23b5a17a6d09b75cc7aba5a01b88e1
but will not close this issue until 2.9.10.4 releases (or we release..whichever comes first).
> Jackson-databind version in Gremlin shaded dependency needs to be increased - introduces vulnerability issues
> --------------------------------------------------------------------------------------------------------------
>
> Key: TINKERPOP-2355
> URL: https://issues.apache.org/jira/browse/TINKERPOP-2355
> Project: TinkerPop
> Issue Type: Bug
> Affects Versions: 3.4.6
> Reporter: Simeon Andonov
> Priority: Critical
>
> Hello colleagues,
> Encountering the following vulnerabilities during Vulas scan when Tinkerpop 3.4.6 =>
> * FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.
> * FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
> * FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).
> * FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).
> * FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
>
> Vulnerability Id: CVE-2019-20330
> Description: FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.
> References:
> *
> [https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9]
> *
> [https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f25da738ef0d49c2f3387e]
> *
> [https://github.com/FasterXML/jackson-databind/issues/2526]
> It seems that these issues are resolved in jackson-databind 2.10.2.
> Probably a change similar to this one ([https://github.com/apache/tinkerpop/pull/1220/files]) , but applying 2.10.2 will resolve the vulnerabilities.
> Thanks in advance for the help!
> Best Regards,
> Simeon Andonov
--
This message was sent by Atlassian Jira
(v8.3.4#803005)