Jackson versions and vulnerabilities #17444
Comments
|
Hi @alkoclick ! Yes, you're right. We should definitely take a look. Unfortunately, this issue comes at a both unfortunate and opportune time when we're finalising a new release. We don't want to introduce too many changes and would prefer to stabilise the codebase. Still, it seems this is important. So I'll put this in the current milestone and see if it's simple to achieve and not too disruptive. |
|
OWASP dependency-check-maven plugin is reporting this as of this week blocking builds. |
|
@mmedenjak can this be backported to 3.12.x? |
|
Depends on the extent of changes introduced by this. We have compatibility guarantees that we are not supposed to break in minor releases, although some might be ignored if the vulnerability is severe. |
|
@melloware @a1dutch we just merged #17484, which bumps the jackson dependency to 2.11.2 which fixes We also merged #17446 which bumped SnakeYAML to 2.1, which fixes This was for the 4.1 mainline, I'll backport to the 4.0.z and 3.12.z branches, although for 3.12 I'll have to see if these upgrades are JDK6 compatible. |
|
Fantastic news. Once released we will upgrade to 4.0.3! |
|
The fixes have now been merged to the upcoming 4.1, 4.0.3 and 3.12.10 releases. Closing, thank you for the report and the PRs! |
|
@mmedenjak I am still getting this error with OWASP plugin and hazelcast-4.1-BETA-1: CVE-2017-18640 |
|
BETA-1 hasn't received the fix as the fix came in quite late and we already ran release verification tests for the BETA release. It will be in 4.1-GA, which will be released in about a month or two. We don't recommend BETA releases for production anyway so I think it's ok. |
|
@mmedenjak is there any timeframe on when the releases will take place? Our deployments are currently blocked until the vulnerabilities are fixed. |
|
4.1-GA will be out around late October and both 4.0.3 and 3.12.10 might be out in several weeks. By then, if you really need to progress with your deployments, you can depend on the SNAPSHOT versions of 4.0.3-SNAPSHOT and 4.1-SNAPSHOT as both should be stabler than the BETA release already. |
|
We cannot use Snapshots I'm afraid. What about 3.12? Any chance of a release just with the updated shaded jars? |
|
It will all be released in due time, as mentioned. |
|
@mmedenjak Thanks a lot for the hard work on delivering this under such a tight schedule! @a1dutch I would recommend ignoring this in your vulnerability scanner until the new versions are out. As I point out in my original post, CVE-2020-24616 does not seem to affect Hazelcast anyway. |
|
An update - we've started the release process for 4.0.3, it should be out some time next week. |
|
Hazelcast 4.0.3 was released yesterday. |
Hey folks,
Hazelcast shades Jackson 2.9.7, which currently is about 2 years old. There's a lot of Jackson CVEs out there (FasterXML/jackson-databind#2814 is the latest that popped up for us), often centered around gadgets, as explained by cowtowncoder (primary Jackson maintainer) himself in this medium article.
It is possible that Hazelcast is affected by CVE-2020-24616, though it looks unlikely to me, you don't seem to be using Anteros-DBCP. It is possible that Hazelcast is affected by one of the other Jackson-targeting CVEs, which I could see being exploited in ways similar to #802.
Nevertheless and since this is a 2 y.o version anyway, would it be a reasonable goal to switch to a newer version such as 2.11 and resolve both these issues?
The text was updated successfully, but these errors were encountered: