You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tinkerpop.apache.org by "Stephen Mallette (Jira)" <ji...@apache.org> on 2020/04/23 17:18:00 UTC

[jira] [Closed] (TINKERPOP-2355) Jackson-databind version in Gremlin shaded dependency needs to be increased - introduces vulnerability issues

     [ https://issues.apache.org/jira/browse/TINKERPOP-2355?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Stephen Mallette closed TINKERPOP-2355.
---------------------------------------
    Fix Version/s: 3.4.7
                   3.3.11
         Assignee: Stephen Mallette
       Resolution: Fixed

Bumped to 2.9.10.4 on:

https://github.com/apache/tinkerpop/commit/be2c17a252f81ac409a67381c47e985a6de434e8

> Jackson-databind version in Gremlin shaded dependency needs to be increased  - introduces vulnerability issues
> --------------------------------------------------------------------------------------------------------------
>
>                 Key: TINKERPOP-2355
>                 URL: https://issues.apache.org/jira/browse/TINKERPOP-2355
>             Project: TinkerPop
>          Issue Type: Bug
>          Components: build-release
>    Affects Versions: 3.4.6
>            Reporter: Simeon Andonov
>            Assignee: Stephen Mallette
>            Priority: Critical
>             Fix For: 3.3.11, 3.4.7
>
>
> Hello colleagues,
> Encountering the following vulnerabilities during Vulas scan when Tinkerpop 3.4.6 =>
>  * FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.
>  * FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
>  * FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).
>  * FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).
>  * FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
>  
> Vulnerability Id: CVE-2019-20330
> Description: FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking. 
> References: 
>  * 
> [https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9]
>  * 
> [https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f25da738ef0d49c2f3387e]
>  * 
> [https://github.com/FasterXML/jackson-databind/issues/2526]
> It seems that these issues are resolved in jackson-databind 2.10.2.
> Probably a change similar to this one ([https://github.com/apache/tinkerpop/pull/1220/files]) , but applying 2.10.2 will resolve the vulnerabilities.
> Thanks in advance for the help!
> Best Regards,
> Simeon Andonov



--
This message was sent by Atlassian Jira
(v8.3.4#803005)