Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2020-28491: com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:jar:2.10.0:compile is used in fhir-bucket and fhir-bulkimportexport-webapp #1973

Closed
prb112 opened this issue Feb 22, 2021 · 0 comments · Fixed by #1974
Closed

CVE-2020-28491: com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:jar:2.10.0:compile is used in fhir-bucket and fhir-bulkimportexport-webapp #1973

prb112 opened this issue Feb 22, 2021 · 0 comments · Fixed by #1974
Assignees
@prb112
Labels
bug Something isn't working P1 Priority 1 - Must Have security
Milestone
Sprint 2021-03

Comments

@prb112
Copy link
Contributor

prb112 commented Feb 22, 2021

Describe the bug
CVE-2020-28491: com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:jar:2.10.0:compile is used in fhir-bucket and fhir-bulkimportexport-webapp

There is a corresponding CVE which recommends updating databind.

[INFO] com.ibm.fhir:fhir-bulkimportexport-webapp:war:4.6.0-SNAPSHOT
[INFO] +- com.ibm.cos:ibm-cos-java-sdk:jar:2.9.0:compile
[INFO] | +- com.ibm.cos:ibm-cos-java-sdk-s3:jar:2.9.0:compile
[INFO] | +- com.ibm.cos:ibm-cos-java-sdk-kms:jar:2.9.0:compile
[INFO] | | - javax.annotation:javax.annotation-api:jar:1.3.1:compile
[INFO] | - com.ibm.cos:ibm-cos-java-sdk-core:jar:2.9.0:compile
[INFO] | +- javax.xml.bind:jaxb-api:jar:2.3.0:compile
[INFO] | +- com.sun.xml.bind:jaxb-core:jar:2.3.0:compile
[INFO] | +- com.sun.xml.bind:jaxb-impl:jar:2.3.0:compile
[INFO] | +- commons-logging:commons-logging:jar:1.1.3:compile
[INFO] | +- software.amazon.ion:ion-java:jar:1.2.0:compile
[INFO] | +- com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:jar:2.10.0:compile
[INFO] | - joda-time:joda-time:jar:2.8.2:compile
com.ibm.fhir:fhir-bucket:jar:4.6.0-SNAPSHOT
[INFO] +- com.ibm.cos:ibm-cos-java-sdk:jar:2.9.0:compile
[INFO] | +- com.ibm.cos:ibm-cos-java-sdk-s3:jar:2.9.0:compile
[INFO] | +- com.ibm.cos:ibm-cos-java-sdk-kms:jar:2.9.0:compile
[INFO] | | - javax.annotation:javax.annotation-api:jar:1.3.1:compile
[INFO] | - com.ibm.cos:ibm-cos-java-sdk-core:jar:2.9.0:compile
[INFO] | +- javax.xml.bind:jaxb-api:jar:2.3.0:compile
[INFO] | +- com.sun.xml.bind:jaxb-core:jar:2.3.0:compile
[INFO] | +- com.sun.xml.bind:jaxb-impl:jar:2.3.0:compile
[INFO] | +- software.amazon.ion:ion-java:jar:1.2.0:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.12.1:compile
[INFO] | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.12.1:compile
[INFO] | | - com.fasterxml.jackson.core:jackson-core:jar:2.12.1:compile
[INFO] | +- com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:jar:2.10.0:compile
[INFO] | - joda-time:joda-time:jar:2.8.2:compile

To Reproduce
Steps to reproduce the behavior:

  1. Clone the Repository
  2. mvn dependency:tree -f fhir-parent
  3. Confirm cbor version

Expected behavior
n/a

Additional context
CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28491
@prb112 prb112 added bug Something isn't working security labels Feb 22, 2021
@prb112 prb112 added this to the Sprint 2021-03 milestone Feb 22, 2021
@prb112 prb112 self-assigned this Feb 22, 2021
prb112 added a commit that referenced this issue Feb 22, 2021
@prb112
CVE-2020-28491: com.fasterxml.jackson.dataformat:jackson-dataformat-c…
011a281 
…bor:jar:2.10.0:compile is used in fhir-bucket and fhir-bulkimportexport-webapp #1973

Signed-off-by: Paul Bastide <pbastide@us.ibm.com>
@prb112 prb112 mentioned this issue Feb 22, 2021
Merged
@prb112 prb112 linked a pull request Feb 22, 2021 that will close this issue
CVE-2020-28491: com.fasterxml.jackson.dataformat:jackson-dataformat-c… #1974
Merged
@prb112 prb112 added the P1 Priority 1 - Must Have label Feb 22, 2021
lmsurpre added a commit that referenced this issue Feb 26, 2021
@lmsurpre
issue #1973 - handle duplicate entries in version_history with grace
24b6885 
This should workaround the root cause of issue #1973 and prevent
`--update-schema` from trying to apply updates that have already been
applied.

The root cause will need to be addressed in a separate PR.

Signed-off-by: Lee Surprenant <lmsurpre@us.ibm.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@prb112 prb112

Labels
bug Something isn't working P1 Priority 1 - Must Have security
Projects
None yet
Milestone
Sprint 2021-03
Development

Successfully merging a pull request may close this issue.

CVE-2020-28491: com.fasterxml.jackson.dataformat:jackson-dataformat-c… LinuxForHealth/FHIR
1 participant
@prb112