TL;DR: I've backported the fixes for CVE-2017-7525 and related issues to select old / archaic versions. This might be useful to someone else, hence this email.
Cloudera (my employer) provides supported versions of lots of open source projects. Most of them use jackson in some form. Most of them also use an outdated version of jackson. We can't easily upgrade the jackson versions due to concerns of backwards compatibility (real or imagined). (Major releases, where we have freedom to upgrade stuff, are few and far between.) This puts us in a tight spot sometimes, particularly with security vulnerabilities. Enter CVE-2017-7525 (and related CVEs: CVE-2017-15095, CVE-2017-17485, CVE-2018-5968, and CVE-2018-7489). I understand that the maintainers don't want to patch every version of jackson, which is understandable. I also understand (thanks to Cowtowncoder's blog post <https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062>) that actually hitting this vulnerability is rare and relatively easily detectable. One might think that I could review all our code and determine if we're ultimately vulnerable. There are some problems with this, however. 1. New, future code could be written that is vulnerable 2. Some third party code could use jackson and be vulnerable, and we wouldn't know it. (Who knows what Spring does with jackson? I sure don't.) 3. Customers might demand that we get this vulnerability off their security dashboard. (Yes, this happens.) So, what to do? I can't upgrade to 2.9.5 and be done with it. Shoot, lots of stuff is still using 1.8 or 1.9. I can't argue that we're actually not vulnerable. So that leaves the one horrible option of forking jackson, backporting the fixes for these CVEs, and maintaining that fork. Here you go: https://github.com/cloudera/jackson https://github.com/cloudera/jackson-databind Look for branches ending in "cloudera" in both of those repositories. You'll find branches for 1.8.10, 1.9.13 (in the former), 2.1.0, 2.2.2, 2.2.3, 2.3.1, 2.6.2, 2.6.3, and 2.6.5 (in the latter). In addition, these are published to our maven repo, for example at https://repository.cloudera.com/artifactory/libs-staging-local/org/codehaus/jackson/jackson-mapper-asl/ https://repository.cloudera.com/artifactory/libs-staging-local/com/fasterxml/jackson/core/jackson-databind/ Note the "-cloudera.1" version strings. Licensing-wise, this is of course all under the ASF (even though there is no new IP, just backports, the lawyers got involved to make it official) so feel free to use as you see fit. In closing, two humble requests: 1. If there are more security-related fixes for this class of vulnerability, I'd love to know about them ahead of time, if possible. 2. I've noticed that reporting and discussion of security vulnerabilities happens out in the open in github issues. While useful if you're a white hat, this approach does have the problem that attackers can see the vulnerability before a release with the fix has been issued. I'd like to recommend the Apache approach <https://www.apache.org/security/committers.html> to security vulnerabilities instead. Regards, -Mike Yoder Cloudera, Inc -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to jackson-user+unsubscr...@googlegroups.com. To post to this group, send email to jackson-user@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
