You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tinkerpop.apache.org by "Stephen Mallette (Jira)" <ji...@apache.org> on 2020/04/23 17:18:00 UTC
[jira] [Closed] (TINKERPOP-2355) Jackson-databind version in
Gremlin shaded dependency needs to be increased - introduces vulnerability
issues
[ https://issues.apache.org/jira/browse/TINKERPOP-2355?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Stephen Mallette closed TINKERPOP-2355.
---------------------------------------
Fix Version/s: 3.4.7
3.3.11
Assignee: Stephen Mallette
Resolution: Fixed
Bumped to 2.9.10.4 on:
https://github.com/apache/tinkerpop/commit/be2c17a252f81ac409a67381c47e985a6de434e8
> Jackson-databind version in Gremlin shaded dependency needs to be increased - introduces vulnerability issues
> --------------------------------------------------------------------------------------------------------------
>
> Key: TINKERPOP-2355
> URL: https://issues.apache.org/jira/browse/TINKERPOP-2355
> Project: TinkerPop
> Issue Type: Bug
> Components: build-release
> Affects Versions: 3.4.6
> Reporter: Simeon Andonov
> Assignee: Stephen Mallette
> Priority: Critical
> Fix For: 3.3.11, 3.4.7
>
>
> Hello colleagues,
> Encountering the following vulnerabilities during Vulas scan when Tinkerpop 3.4.6 =>
> * FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.
> * FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
> * FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).
> * FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).
> * FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
>
> Vulnerability Id: CVE-2019-20330
> Description: FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.
> References:
> *
> [https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9]
> *
> [https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f25da738ef0d49c2f3387e]
> *
> [https://github.com/FasterXML/jackson-databind/issues/2526]
> It seems that these issues are resolved in jackson-databind 2.10.2.
> Probably a change similar to this one ([https://github.com/apache/tinkerpop/pull/1220/files]) , but applying 2.10.2 will resolve the vulnerabilities.
> Thanks in advance for the help!
> Best Regards,
> Simeon Andonov
--
This message was sent by Atlassian Jira
(v8.3.4#803005)