You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@olingo.apache.org by Debraj Manna <su...@gmail.com> on 2022/11/02 13:29:06 UTC
CVE-2022-40153 on dependency woodstox-core
I was having some difficulty joining the mailing list. So I asked the same
question in stackoverflow
<https://stackoverflow.com/questions/74284933/apache-olingo-cve-2022-40153-on-dependency-woodstox-core>
also. I did not get much response there so cross-posting it here also.
Our CVE tracker is flagging odata-client-core (version 4.8.0) for the
presence of dependency woodstox-core (version 6.2.4) affected by
CVE-2022-40153 <https://github.com/advisories/GHSA-fv22-xp26-mm9w>.
The relevant dependency tree is below:-
+- org.apache.olingo:odata-client-core:jar:4.8.0:compile
[INFO] | +- org.apache.olingo:odata-client-api:jar:4.8.0:compile
[INFO] | | \- org.apache.olingo:odata-commons-api:jar:4.8.0:compile
[INFO] | +- org.apache.olingo:odata-commons-core:jar:4.8.0:compile
[INFO] | +- commons-codec:commons-codec:jar:1.15:compile
[INFO] | +- org.apache.httpcomponents:httpclient:jar:4.5.13:compile
[INFO] | | \- org.apache.httpcomponents:httpcore:jar:4.4.15:compile
[INFO] | +- org.slf4j:slf4j-api:jar:1.7.32:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-core:jar:2.12.6:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.12.6:compile
[INFO] | +- com.fasterxml.jackson.dataformat:jackson-dataformat-xml:jar:2.12.6:compile
[INFO] | | +-
com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.12.6:compile
[INFO] | | +- org.codehaus.woodstox:stax2-api:jar:4.2.1:compile
[INFO] | | \- com.fasterxml.woodstox:woodstox-core:jar:6.2.4:compile
The issue is fixed in woodstox-core 6.4.0. The latest version of
odata-client-core (version 4.9.0) is still using the vulnerable
woodstox-core version.
1. Is there any plan of upgrading the version of woodstox-core? If yes,
which version is expected to have the fix?
2. Is someone aware if the woodstox-core 6.4.0 is compatible with
odata-client-core 4.8.0 or 4.9.0 version so that I can exclude
woodstox-core 6.2.0 in my pom and add woodstox-core 6.4.0?
Re: CVE-2022-40153 on dependency woodstox-core
Posted by mibo <mi...@apache.org>.
Hi,
I have checked that Olingo works with Jackson 2.14.0 (which have newer version of woodstox-core) and have updated the Jackson version accordingly.
With the next version 4.10.0 it will be available.
For your current project I suggest to overwrite/set the used Jackson version to 2.14.0.
Kind Regards, Michael
Am 2. Nov. 2022, 14:29 +0100 schrieb Debraj Manna <su...@gmail.com>:
> I was having some difficulty joining the mailing list. So I asked the same question in stackoverflow also. I did not get much response there so cross-posting it here also.
>
> Our CVE tracker is flagging odata-client-core (version 4.8.0) for the presence of dependency woodstox-core (version 6.2.4) affected by CVE-2022-40153.
> The relevant dependency tree is below:-
> +- org.apache.olingo:odata-client-core:jar:4.8.0:compile
> [INFO] | +- org.apache.olingo:odata-client-api:jar:4.8.0:compile
> [INFO] | | \- org.apache.olingo:odata-commons-api:jar:4.8.0:compile
> [INFO] | +- org.apache.olingo:odata-commons-core:jar:4.8.0:compile
> [INFO] | +- commons-codec:commons-codec:jar:1.15:compile
> [INFO] | +- org.apache.httpcomponents:httpclient:jar:4.5.13:compile
> [INFO] | | \- org.apache.httpcomponents:httpcore:jar:4.4.15:compile
> [INFO] | +- org.slf4j:slf4j-api:jar:1.7.32:compile
> [INFO] | +- com.fasterxml.jackson.core:jackson-core:jar:2.12.6:compile
> [INFO] | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.12.6:compile
> [INFO] | +- com.fasterxml.jackson.dataformat:jackson-dataformat-xml:jar:2.12.6:compile
> [INFO] | | +- com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.12.6:compile
> [INFO] | | +- org.codehaus.woodstox:stax2-api:jar:4.2.1:compile
> [INFO] | | \- com.fasterxml.woodstox:woodstox-core:jar:6.2.4:compile
> The issue is fixed in woodstox-core 6.4.0. The latest version of odata-client-core (version 4.9.0) is still using the vulnerable woodstox-core version.
>
> 1. Is there any plan of upgrading the version of woodstox-core? If yes, which version is expected to have the fix?
> 2. Is someone aware if the woodstox-core 6.4.0 is compatible with odata-client-core 4.8.0 or 4.9.0 version so that I can exclude woodstox-core 6.2.0 in my pom and add woodstox-core 6.4.0?
>