Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Possible jackson-databind vulnerabilities #4006

Closed
ebruchez opened this issue Mar 27, 2019 · 1 comment

Comments

Projects
2 participants
@ebruchez
Copy link
Collaborator

commented Mar 27, 2019

+1 from customer

See the NIST list.

We don't use jackson-databind directly. Usage comes via com.amazonaws:aws-java-sdk-core:1.11.166 which is used by Google com.google.crypto.tink:tink:1.2.2.

We are probably not making any use of aws-java-sdk-core even via Tink. Even so, Amazon says that at least CVE 2017-15095 & CVE-2018-7489 are nothing to worry about. They also say "Consumers of the SDK can override the version of Jackson in their own application to a newer version."

Since we don't need to support Java 1.6 anyway, we can try to update the library to a newer version, namely 2.9.8, for which no vulnerability has been posted yet.

@ebruchez ebruchez self-assigned this Mar 27, 2019

@ebruchez ebruchez added this to To review in Orbeon Forms 2019.1 via automation Mar 27, 2019

@ebruchez ebruchez added this to To do in Orbeon Forms 2018.2.3 via automation Mar 27, 2019

@ebruchez ebruchez closed this Mar 27, 2019

Orbeon Forms 2019.1 automation moved this from To review to Done Mar 27, 2019

Orbeon Forms 2018.2.3 automation moved this from To do to Done Mar 27, 2019

@avernet

This comment has been minimized.

Copy link
Collaborator

commented Mar 28, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.