[jira] [Commented] (AVRO-1126) Upgrade to Jackson 2+

Fri, 02 Nov 2018 00:06:21 -0700 


    [ 
https://issues.apache.org/jira/browse/AVRO-1126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16672666#comment-16672666
 ] 

Oscar Westra van Holthe - Kind commented on AVRO-1126:
------------------------------------------------------

Fixing this issue has become more important, due to 
[CVE-2018-7489|https://nvd.nist.gov/vuln/detail/CVE-2018-7489] (a remote code 
execution vulnerability in older Jackson versions).
>From the CVE:
{quote}
FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5 allows 
unauthenticated remote code execution because of an incomplete fix for the 
CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously 
crafted JSON input to the readValue method of the ObjectMapper, bypassing a 
blacklist that is ineffective if the c3p0 libraries are available in the 
classpath.
{quote}

> Upgrade to Jackson 2+
> ---------------------
>
>                 Key: AVRO-1126
>                 URL: https://issues.apache.org/jira/browse/AVRO-1126
>             Project: Avro
>          Issue Type: Task
>          Components: java
>            Reporter: James Tyrrell
>            Assignee: Charles Honton
>            Priority: Critical
>             Fix For: 1.9.0
>
>
> Quite annoyingly with Jackson 2+ the base package name has changed from 
> org.codehaus.jackson to com.fasterxml.jackson so in addition to changing the 
> dependencies from:
> {code:xml} 
> <dependency>
>     <groupId>org.codehaus.jackson</groupId>
>     <artifactId>jackson-core-asl</artifactId>
>     <version>${jackson.version}</version>
> </dependency>
> <dependency>
>     <groupId>org.codehaus.jackson</groupId>
>     <artifactId>jackson-mapper-asl</artifactId>
>     <version>${jackson.version}</version>
> </dependency>
> {code} 
> to:
> {code:xml} 
> <dependency>
>     <groupId>com.fasterxml.jackson.core</groupId>
>     <artifactId>jackson-core</artifactId>
>     <version>${jackson.version}</version>
> </dependency>
> <dependency>
>     <groupId>com.fasterxml.jackson.core</groupId>
>     <artifactId>jackson-databind</artifactId>
>     <version>${jackson.version}</version>
> </dependency>
> {code} 
> the base package in the code needs to be updated. More info can be found 
> [here|http://wiki.fasterxml.com/JacksonUpgradeFrom19To20], I am happy to do 
> the work just let me know what is preferable i.e. should I just attach a 
> patch to this issue?



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to