[ https://issues.apache.org/jira/browse/CASSANDRA-14427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16458271#comment-16458271 ]
Lerh Chuan Low commented on CASSANDRA-14427: -------------------------------------------- Github branch if preferred: [https://github.com/juiceblender/cassandra/tree/jackson-update] CCI: [https://circleci.com/gh/juiceblender/cassandra/76] Not sure if these should include all the previous versions (I think it should), let me know if I'm on the right track + if I should create patches for 2.1/2.2/3.0/3. Thanks! > Bump jackson version to >= 2.9.5 > -------------------------------- > > Key: CASSANDRA-14427 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14427 > Project: Cassandra > Issue Type: Improvement > Reporter: Lerh Chuan Low > Assignee: Lerh Chuan Low > Priority: Major > Attachments: trunk-14427.txt > > > The Jackson being used by Cassandra is really old (1.9.2, and still > references codehaus (Jackson 1) instead of fasterxml (Jackson 2)). > There have been a few jackson vulnerabilities recently (mostly around > deserialization which allows arbitrary code execution) > [https://nvd.nist.gov/vuln/detail/CVE-2017-7525] > [https://nvd.nist.gov/vuln/detail/CVE-2017-15095] > [https://nvd.nist.gov/vuln/detail/CVE-2018-1327] > [https://nvd.nist.gov/vuln/detail/CVE-2018-7489] > Given that Jackson in Cassandra is really old and seems to be used also for > reading in values, it looks worthwhile to update Jackson to 2.9.5. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org