Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Java] CVE-2022-42003: FasterXML jackson-databind before 2.14.0-rc #35771

Closed
JoePercipientAI opened this issue May 25, 2023 · 3 comments · Fixed by #35791
Closed

[Java] CVE-2022-42003: FasterXML jackson-databind before 2.14.0-rc #35771

JoePercipientAI opened this issue May 25, 2023 · 3 comments · Fixed by #35791
Assignees
@lidavidm
Labels
Component: Packaging Type: bug
Milestone
12.0.1

Comments

@JoePercipientAI
Copy link

Describe the bug, including details regarding any error messages, version, and platform.

https://nvd.nist.gov/vuln/detail/CVE-2022-42003

This CVE is present in latest release of Apache Arrow (and earlier releases). The vulnerability is in jackson-databind.
The latest release of Apache Arrow uses jackson-databind version 2.13.4. The CVE is resolved in version 2.13.4.2.

Is there anything preventing Apache Arrow from upgrading to a later version of jackson-databind to eliminate this CVE??

Component(s)

Packaging
@lidavidm
Copy link
Member

No, we should be fine upgrading immediately (and you should be fine forcing Maven to resolve a newer version)

@davisusanibar can you bump this?

And I vaguely recall that Jackson is there for testing (to load the integration test files), in which case we should see about eliminating it as a dependency (in anything we ship)

@kou kou changed the title CVE-2022-42003 [Java] CVE-2022-42003: FasterXML jackson-databind before 2.14.0-rc May 26, 2023
@lidavidm lidavidm self-assigned this May 26, 2023
lidavidm added a commit to lidavidm/arrow that referenced this issue May 26, 2023
@lidavidm
apacheGH-35771: [Java] Bump Jackson to avoid CVE
2342418
@github-actions github-actions bot mentioned this issue May 26, 2023
Merged
@lidavidm lidavidm added this to the 12.0.1 milestone May 26, 2023
@JoePercipientAI
Copy link
Author

Thanks for jumping on this so fast! Excellent!
Is there a target release date for 12.0.1?

@lidavidm
Copy link
Member

Look at the mailing list (https://lists.apache.org/thread/ncjlh5t1yvmgbyg8vflkb57pq1o1snpj) but "ASAP" (in my estimation, probably at least a week though just because a release is fairly expensive 🙁)

lidavidm added a commit that referenced this issue May 26, 2023
@lidavidm
GH-35771: [Java] Bump Jackson to avoid CVE (#35791)
0b56c67 
### Rationale for this change

A dependency has a reported CVE.

### What changes are included in this PR?

Bump the dependency.

### Are these changes tested?

N/A

### Are there any user-facing changes?

No.

**This PR contains a "Critical Fix".**
* Closes: #35771

Authored-by: David Li <li.davidm96@gmail.com>
Signed-off-by: David Li <li.davidm96@gmail.com>
raulcd pushed a commit that referenced this issue May 30, 2023
@lidavidm @raulcd
GH-35771: [Java] Bump Jackson to avoid CVE (#35791)
d563c06 
### Rationale for this change

A dependency has a reported CVE.

### What changes are included in this PR?

Bump the dependency.

### Are these changes tested?

N/A

### Are there any user-facing changes?

No.

**This PR contains a "Critical Fix".**
* Closes: #35771

Authored-by: David Li <li.davidm96@gmail.com>
Signed-off-by: David Li <li.davidm96@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lidavidm lidavidm

Labels
Component: Packaging Type: bug
Projects
None yet
Milestone
12.0.1
Development

Successfully merging a pull request may close this issue.

GH-35771: [Java] Bump Jackson to avoid CVE lidavidm/arrow
2 participants
@lidavidm @JoePercipientAI