[jira] [Commented] (CASSANDRA-14427) Bump jackson version to >= 2.9.5

Tue, 08 May 2018 04:17:16 -0700 

    [ 
https://issues.apache.org/jira/browse/CASSANDRA-14427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16467245#comment-16467245
 ] 

Jason Brown commented on CASSANDRA-14427:
-----------------------------------------

Upgrading dependencies on trunk is not a problem, but usually we are hesitant 
to upgrade in existing releases. Unless, of course, there's a bug or identifies 
security problem. The linked CVEs all reference the jackson-databind 
sub-module, which we do not ship. Several of the CVEs have text like "sending 
the maliciously crafted input to the readValue method of the ObjectMapper", but 
always with that input going through the jackson-databind component. While the 
jackson-mapper-asl-1.9.13.jar that we ship does have an {{ObjectMapper}} class, 
so does the jackson-databind jar (I looked at the most recent on maven central, 
v2.9.5). I'm inclined to believe the {{ObjectMapper}} referenced in the CVEs 
refers to the {{ObjectMapper}} in jackson-databind, and not anything we 
currently ship.

If there are no known issues with the current jackson jars, I propose we not 
upgrade them on existing releases. wdyt, [~Lerh Low]?



> Bump jackson version to >= 2.9.5
> --------------------------------
>
>                 Key: CASSANDRA-14427
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-14427
>             Project: Cassandra
>          Issue Type: Improvement
>            Reporter: Lerh Chuan Low
>            Assignee: Lerh Chuan Low
>            Priority: Major
>         Attachments: 2.1-14427.txt, 2.2-14427.txt, 3.0-14427.txt, 
> 3.X-14427.txt, trunk-14427.txt
>
>
> The Jackson being used by Cassandra is really old (1.9.2, and still 
> references codehaus (Jackson 1) instead of fasterxml (Jackson 2)). 
> There have been a few jackson vulnerabilities recently (mostly around 
> deserialization which allows arbitrary code execution)
> [https://nvd.nist.gov/vuln/detail/CVE-2017-7525]
>  [https://nvd.nist.gov/vuln/detail/CVE-2017-15095]
>  [https://nvd.nist.gov/vuln/detail/CVE-2018-1327]
>  [https://nvd.nist.gov/vuln/detail/CVE-2018-7489]
> Given that Jackson in Cassandra is really old and seems to be used also for 
> reading in values, it looks worthwhile to update Jackson to 2.9.5. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to