[jira] [Created] (CASSANDRA-14427) Bump jackson version to >= 2.9.5

Lerh Chuan Low (JIRA) Sun, 29 Apr 2018 19:06:20 -0700

Lerh Chuan Low created CASSANDRA-14427:
------------------------------------------


             Summary: Bump jackson version to >= 2.9.5
                 Key: CASSANDRA-14427
                 URL: https://issues.apache.org/jira/browse/CASSANDRA-14427
             Project: Cassandra
          Issue Type: Improvement
            Reporter: Lerh Chuan Low
            Assignee: Lerh Chuan Low


The Jackson being used by Cassandra is really old (1.9.2, and still references 
codehaus (Jackson 1) instead of fasterxml (Jackson 2)). 

There have been a few jackson vulnerabilities recently (mostly around 
deserialization which allows arbitrary code execution)

[https://nvd.nist.gov/vuln/detail/CVE-2017-7525]
 [https://nvd.nist.gov/vuln/detail/CVE-2017-15095]
 [https://nvd.nist.gov/vuln/detail/CVE-2018-1327]
 [https://nvd.nist.gov/vuln/detail/CVE-2018-7489]

Given that Jackson in Cassandra is really old and seems to be used also for 
reading in values, it looks worthwhile to update Jackson to 2.9.5. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Created] (CASSANDRA-14427) Bump jackson version to >= 2.9.5

Reply via email to