osdir.com

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Jackson vulnerabilities CVE-2017-17485 & CVE-2018-7489


Hello,

I've recently ran a dependency check on the camel-jackson 2.21.0 and
it appears that the version of jackson being used (2.8.10) has two
High/Severe vulnerabilities.

To fix this for camel-jackson we'll need to upgrade as follows:

CVE-2017-17485 - Jackson 2.9.3 or greater
CVE-2018-7489 - Jackson 2.9.5 or greater

I can see that the parent pom on the mainline has been upgraded to
2.9.4 (as part of spring boot 2 migration), so that covers
CVE-2017-17485 'for free'

More information available here:

https://nvd.nist.gov/vuln/detail/CVE-2017-17485
https://nvd.nist.gov/vuln/detail/CVE-2018-7489

Shall I raise a JIRA to address this (possible as two separate tickets
to track both issues?)

Thanks,

David