osdir.com

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Jackson vulnerabilities CVE-2017-17485 & CVE-2018-7489


Hi David

Thanks for bringing this to our attention.

The 1st issue
https://nvd.nist.gov/vuln/detail/CVE-2018-7489

Seems to only be applicable if you have spring JARs on the classpath
which some Camel users may have.



The 2nd issue
https://nvd.nist.gov/vuln/detail/CVE-2018-7489

Seems to only be applicable if you have c3p0 on the classpath which we
do NOT have by default in Apache Camel.
And we have no Camel components that uses c3p0.

But we will of course upgrade to latest Jackson version on master branch.


It may look like Jackson has not provided CVE fixes for these reports
on their 2.8.x versions. That version is what is in use for Camel
2.20.x and 2.21.x and therefore its more tricky to do something about
it. Camel users can try to switch to use Jackson 2.9.5 with their
Camel 2.20.x or 2.21.x as its just a matter of selecting the JARs in
their classpath/application.

And as Jackson is also used by Spring Boot then we are trying to align
with the supported version of Jackson that Spring Boot uses. And Camel
2.20.x and 2.21.x is using Spring Boot 1.5.x.

And Jackson has sometimes in-compatability issues so its not always an
easy upgrade.




On Mon, Apr 16, 2018 at 1:00 PM, David Atkins <davidatkinsuk@xxxxxxxxx> wrote:
> Hello,
>
> I've recently ran a dependency check on the camel-jackson 2.21.0 and
> it appears that the version of jackson being used (2.8.10) has two
> High/Severe vulnerabilities.
>
> To fix this for camel-jackson we'll need to upgrade as follows:
>
> CVE-2017-17485 - Jackson 2.9.3 or greater
> CVE-2018-7489 - Jackson 2.9.5 or greater
>
> I can see that the parent pom on the mainline has been upgraded to
> 2.9.4 (as part of spring boot 2 migration), so that covers
> CVE-2017-17485 'for free'
>
> More information available here:
>
> https://nvd.nist.gov/vuln/detail/CVE-2017-17485
> https://nvd.nist.gov/vuln/detail/CVE-2018-7489
>
> Shall I raise a JIRA to address this (possible as two separate tickets
> to track both issues?)
>
> Thanks,
>
> David



-- 
Claus Ibsen
-----------------
http://davsclaus.com @davsclaus
Camel in Action 2: https://www.manning.com/ibsen2