You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@beam.apache.org by "Tatu Saloranta (Jira)" <ji...@apache.org> on 2019/12/06 00:16:00 UTC
[jira] [Commented] (BEAM-7881) Get rid of jackson to avoid the
continuous flow of CVEs in Jackson
[ https://issues.apache.org/jira/browse/BEAM-7881?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16989267#comment-16989267 ]
Tatu Saloranta commented on BEAM-7881:
--------------------------------------
[~romain.manni-bucau] I am sorry but I am not sure I understand the points. But the fact is that the stream of CVEs will stop with 2.10, and with default settings Jackson does not have vulnerabilities regarding polymorphic typing. If user code explicitly enables use of unsafe features that is no different from custom code opening security holes by any other means – if code execution is allowed, framework can not do much to try to prevent self-inflicted problems.
> Get rid of jackson to avoid the continuous flow of CVEs in Jackson
> ------------------------------------------------------------------
>
> Key: BEAM-7881
> URL: https://issues.apache.org/jira/browse/BEAM-7881
> Project: Beam
> Issue Type: Task
> Components: sdk-java-core
> Affects Versions: 2.14.0
> Reporter: Romain Manni-Bucau
> Priority: Blocker
>
> Jackson keeps having CVE on all releases of databind and transitively beam sdk java core has CVE on all its releases (for the record, when writing this issue you must use at least jackson-databind 2.9.9.2 but last week it was 2.9.9.1 and 2.14 didn't get the fix).
> Can be neat to get rid of jackson which does not fix this issue for a very long time now and just use JSON-B or another JSON impl to ensure the CVE is not usable because beam is there.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)