You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@camel.apache.org by Willem Jiang <wi...@gmail.com> on 2018/05/06 01:38:25 UTC

Re: Jackson vulnerabilities CVE-2017-17485 & CVE-2018-7489

Hi Grzegorz,

Is there any updated for this issue?
We may need a JIRA to track this kind of issue.


Willem Jiang

Blog: http://willemjiang.blogspot.com (English)
          http://jnn.iteye.com  (Chinese)
Twitter: willemjiang
Weibo: 姜宁willem

On Tue, Apr 17, 2018 at 3:04 PM, Grzegorz Grzybek <gr...@gmail.com>
wrote:

> Hello
>
>
> > It may look like Jackson has not provided CVE fixes for these reports
> > on their 2.8.x versions. That version is what is in use for Camel
> > 2.20.x and 2.21.x and therefore its more tricky to do something about
> > it. Camel users can try to switch to use Jackson 2.9.5 with their
> > Camel 2.20.x or 2.21.x as its just a matter of selecting the JARs in
> > their classpath/application.
> >
>
> (Always) remember about swagger dependencies... Swagger quite loosely
> treats semantic versioning.
> Between 1.5.17 and 1.5.18 there was jackson upgrade from 2.8.x to 2.9.x
>
> Just my heads-up that this should be checked.
>
> regards
> Grzegorz Grzybek
>
>
> > And as Jackson is also used by Spring Boot then we are trying to align
> > with the supported version of Jackson that Spring Boot uses. And Camel
> > 2.20.x and 2.21.x is using Spring Boot 1.5.x.
> >
> > And Jackson has sometimes in-compatability issues so its not always an
> > easy upgrade.
> >
> >
> >
> >
> > On Mon, Apr 16, 2018 at 1:00 PM, David Atkins <da...@gmail.com>
> > wrote:
> > > Hello,
> > >
> > > I've recently ran a dependency check on the camel-jackson 2.21.0 and
> > > it appears that the version of jackson being used (2.8.10) has two
> > > High/Severe vulnerabilities.
> > >
> > > To fix this for camel-jackson we'll need to upgrade as follows:
> > >
> > > CVE-2017-17485 - Jackson 2.9.3 or greater
> > > CVE-2018-7489 - Jackson 2.9.5 or greater
> > >
> > > I can see that the parent pom on the mainline has been upgraded to
> > > 2.9.4 (as part of spring boot 2 migration), so that covers
> > > CVE-2017-17485 'for free'
> > >
> > > More information available here:
> > >
> > > https://nvd.nist.gov/vuln/detail/CVE-2017-17485
> > > https://nvd.nist.gov/vuln/detail/CVE-2018-7489
> > >
> > > Shall I raise a JIRA to address this (possible as two separate tickets
> > > to track both issues?)
> > >
> > > Thanks,
> > >
> > > David
> >
> >
> >
> > --
> > Claus Ibsen
> > -----------------
> > http://davsclaus.com @davsclaus
> > Camel in Action 2: https://www.manning.com/ibsen2
> >
>