update Jackson - CVE-2019-12086 #120
Comments
|
Thanks for reporting this. The Jackson maintainers have backported the fix for CVE-2019-12086 to the 2.7 and 2.8 branches, and I've been waiting for a 2.7 maintenance release. I'm hoping to delay a move to 2.9 for the time being, as I believe that it deprecated one or more methods in ISO8601Utils that we currently depend on. In the meantime, it looks like the vulnerability requires mysql-connector-java jar 8.0.14 or earlier, so it seems like it can be avoided by using a more recent version of that MySQL connector. Would that be acceptable? |
|
Thanks - I've updated my uses of mysql-connector-java, which should address the issue for my use-case. Unfortunately the CPE's there don't list the mysql requirement, so static analysis tools (particularly the maven OWASP plugin) will still pick this up as a vulnerability, but it looks like there's pending errata to the CVE. FWIW, it does look like ISO8601Utils' behavior may be the default: FasterXML/jackson-databind#1786 |
|
also fwiw, I've been using jackson 2.9.8 without issue in some artifacts due to conflicting transitive dependency versions (with |
|
Thanks, @hauntingEcho. I've released a version 2.2.2 of the SCIM 2 SDK that uses Jackson 2.9.9. The various components should be available on Maven Central now. I expect the next set of changes to be pushed to the SCIM 2 repo will deprecate the ScimDateFormat class (which I doubt is used outside of the SDK) and replace all usages of deprecated Jackson APIs. My concern about the deprecated APIs in Jackson 2.9 revolves around the possibility that future security fixes may only appear in Jackson 2.10. |
The version of Jackson imported by these libraries is vulnerable to CVE-2019-12086 when used in a project also using the MySQL connector - please update when possible.
The text was updated successfully, but these errors were encountered: