[jira] [Commented] (CASSANDRA-16851) Update from Jackson 2.9 to 2.12

Wed, 18 Aug 2021 11:31:06 -0700 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-16851?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17401298#comment-17401298
 ] 

Tatu Saloranta commented on CASSANDRA-16851:
--------------------------------------------

Security aspect wrt CVE is probably a good one regarding move from 2.9 to even 
just 2.10 – practically all Jackson CVEs for past 2.5 years were for 
polymorphic deserialization and are not applicable to 2.10 or beyond.
While these CVEs were already not applicable to Cassandra usage (as per 
[https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062),]
 vuln tracking tools are very simplistic and cannot really express something 
that is only applicable to specific usage scenarios, and will happily indicate 
Cassandra requiring update to latest Jackson 2.9 patch.

Or, TL;DNR; moving out of 2.9 will stop any new jackson polymorphic deser CVEs.
This would probably be nice for C* 3.x as well as 4.x.
Choice of Jackson dependency to use can also be different between 3.x and 4.x, 
although with relatively simple usage it is probably simpler from support 
perspective to update both to Jackson 2.12.

 

> Update from Jackson 2.9 to 2.12
> -------------------------------
>
>                 Key: CASSANDRA-16851
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-16851
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Dependencies
>            Reporter: Tatu Saloranta
>            Assignee: Tatu Saloranta
>            Priority: Normal
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> Given that Jackson 2.9 support has ended, it would be good to move at least 
> to the next minor version (2.10, patch 2.10.5) or later – latest stable being 
> 2.12.4.
>  I can test to see if anything breaks, but looking at existing Jackson usage 
> there shouldn't be many issues.
> Assuming upgrade is acceptable there's the question of which branches to 
> apply it to; I will first test it against 4.0.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to