You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@avro.apache.org by "Oscar Westra van Holthe - Kind (JIRA)" <ji...@apache.org> on 2018/11/02 07:06:00 UTC

[jira] [Commented] (AVRO-1126) Upgrade to Jackson 2+

    [ https://issues.apache.org/jira/browse/AVRO-1126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16672666#comment-16672666 ] 

Oscar Westra van Holthe - Kind commented on AVRO-1126:
------------------------------------------------------

Fixing this issue has become more important, due to [CVE-2018-7489|https://nvd.nist.gov/vuln/detail/CVE-2018-7489] (a remote code execution vulnerability in older Jackson versions).
From the CVE:
{quote}
FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
{quote}

> Upgrade to Jackson 2+
> ---------------------
>
>                 Key: AVRO-1126
>                 URL: https://issues.apache.org/jira/browse/AVRO-1126
>             Project: Avro
>          Issue Type: Task
>          Components: java
>            Reporter: James Tyrrell
>            Assignee: Charles Honton
>            Priority: Critical
>             Fix For: 1.9.0
>
>
> Quite annoyingly with Jackson 2+ the base package name has changed from org.codehaus.jackson to com.fasterxml.jackson so in addition to changing the dependencies from:
> {code:xml} 
> <dependency>
>     <groupId>org.codehaus.jackson</groupId>
>     <artifactId>jackson-core-asl</artifactId>
>     <version>${jackson.version}</version>
> </dependency>
> <dependency>
>     <groupId>org.codehaus.jackson</groupId>
>     <artifactId>jackson-mapper-asl</artifactId>
>     <version>${jackson.version}</version>
> </dependency>
> {code} 
> to:
> {code:xml} 
> <dependency>
>     <groupId>com.fasterxml.jackson.core</groupId>
>     <artifactId>jackson-core</artifactId>
>     <version>${jackson.version}</version>
> </dependency>
> <dependency>
>     <groupId>com.fasterxml.jackson.core</groupId>
>     <artifactId>jackson-databind</artifactId>
>     <version>${jackson.version}</version>
> </dependency>
> {code} 
> the base package in the code needs to be updated. More info can be found [here|http://wiki.fasterxml.com/JacksonUpgradeFrom19To20], I am happy to do the work just let me know what is preferable i.e. should I just attach a patch to this issue?



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)