Alexey Roytman created CALCITE-2154:
---------------------------------------
Summary: upgrade jackson
Key: CALCITE-2154
URL: https://issues.apache.org/jira/browse/CALCITE-2154
Project: Calcite
Issue Type: Bug
Components: core
Affects Versions: 1.15.0
Reporter: Alexey Roytman
Assignee: Julian Hyde
Calcite now uses FasterXML Jackson 2.6.3 that has known security
vulnerabilities:
* CVE-2017-7525 is prone to a remote-code execution vulnerability.
Successfully exploiting this issue allows attackers to execute arbitrary code
in the context of the affected application. Failed exploits will result in
denial-of-service conditions.
* CVE-2017-15095 describes more deserialization exploits for jackson-databind
as a follow-up to CVE-2017-7525.
* CVE-2017-17485 is about jackson-databind up to 2.9.3 allowing
unauthenticated remote code execution because of an incomplete fix for the
CVE-2017-7525 deserialization flaw.
* CVE-2018-5968 is about jackson-databind up to 2.9.3 allowing unauthenticated
remote code execution because of an incomplete fix for the CVE-2017-7525 and
CVE-2017-17485 deserialization flaws.
Please upgrade to last version of FasterXML Jackson (on 2018-01-30 it's version
2.9.4).
I hope that fixing pom.xml files and running tests is enough.
(See also JIRA:CALCITE-1021, JIRA:KYLIN-3027)
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
