You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@avro.apache.org by "Oscar Westra van Holthe - Kind (JIRA)" <ji...@apache.org> on 2018/11/02 07:06:00 UTC
[jira] [Commented] (AVRO-1126) Upgrade to Jackson 2+
[ https://issues.apache.org/jira/browse/AVRO-1126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16672666#comment-16672666 ]
Oscar Westra van Holthe - Kind commented on AVRO-1126:
------------------------------------------------------
Fixing this issue has become more important, due to [CVE-2018-7489|https://nvd.nist.gov/vuln/detail/CVE-2018-7489] (a remote code execution vulnerability in older Jackson versions).
From the CVE:
{quote}
FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
{quote}
> Upgrade to Jackson 2+
> ---------------------
>
> Key: AVRO-1126
> URL: https://issues.apache.org/jira/browse/AVRO-1126
> Project: Avro
> Issue Type: Task
> Components: java
> Reporter: James Tyrrell
> Assignee: Charles Honton
> Priority: Critical
> Fix For: 1.9.0
>
>
> Quite annoyingly with Jackson 2+ the base package name has changed from org.codehaus.jackson to com.fasterxml.jackson so in addition to changing the dependencies from:
> {code:xml}
> <dependency>
> <groupId>org.codehaus.jackson</groupId>
> <artifactId>jackson-core-asl</artifactId>
> <version>${jackson.version}</version>
> </dependency>
> <dependency>
> <groupId>org.codehaus.jackson</groupId>
> <artifactId>jackson-mapper-asl</artifactId>
> <version>${jackson.version}</version>
> </dependency>
> {code}
> to:
> {code:xml}
> <dependency>
> <groupId>com.fasterxml.jackson.core</groupId>
> <artifactId>jackson-core</artifactId>
> <version>${jackson.version}</version>
> </dependency>
> <dependency>
> <groupId>com.fasterxml.jackson.core</groupId>
> <artifactId>jackson-databind</artifactId>
> <version>${jackson.version}</version>
> </dependency>
> {code}
> the base package in the code needs to be updated. More info can be found [here|http://wiki.fasterxml.com/JacksonUpgradeFrom19To20], I am happy to do the work just let me know what is preferable i.e. should I just attach a patch to this issue?
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)