Dear All Unfortunetelly there is no real fix for this in any of the Jackson releases, since the fix merged blacklists certain classes that should not be deserialized.
The blacklisting based fix is this https://github.com/FasterXML/jackson-databind/issues/1599 which is included here: Is only included in 2.7.9.3<https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.7.9.3> Central<https://mvnrepository.com/repos/central> 1<https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.7.9.3/usages> (Feb, 2018) 2.7.9.2<https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.7.9.2> Central<https://mvnrepository.com/repos/central> 6<https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.7.9.2/usages> (Dec, 2017) 2.7.9.1<https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.7.9.1> and 2.8.11.1<https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.8.11.1> Central<https://mvnrepository.com/repos/central> 13<https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.8.11.1/usages> (Feb, 2018) 2.8.11<https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.8.11> Central<https://mvnrepository.com/repos/central> 102<https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.8.11/usages> (Dec, 2017) 2.8.10<https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.8.10> Central<https://mvnrepository.com/repos/central> 541<https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.8.10/usages> (Aug, 2017) 2.8.9<https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.8.9> Central<https://mvnrepository.com/repos/central> 643<https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.8.9/usages> (Jun, 2017) 2.9.X branch does not contain the fixes https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.5 The fix in 2.8 branch https://github.com/FasterXML/jackson-databind/commit/60d459cedcf079c6106ae7da2ac562bc32dcabe1 is missing from 2.9 https://github.com/FasterXML/jackson-databind/blob/2.9/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializer.java I think there is not bullet proof solution for now. Cheers Denes From: <onap-discuss-boun...@lists.onap.org> on behalf of "fu.guangr...@zte.com.cn" <fu.guangr...@zte.com.cn> Date: 2018. March 29., Thursday 2:34 To: "pdrag...@research.att.com" <pdrag...@research.att.com> Cc: "onap-discuss@lists.onap.org" <onap-discuss@lists.onap.org>, "onap-rele...@lists.onap.org" <onap-rele...@lists.onap.org> Subject: Re: [onap-discuss] [Onap-release] FYI - jackson-databind security fix 2.9.5 That's good news, Pam. Just let us know the result. We've been struggling with this issue for a long time as well. Best wishes. Guangrong Original Mail Sender: DRAGOSH,PAMELAL(PAM) <pdrag...@research.att.com> To: onap-discuss@lists.onap.org <onap-discuss@lists.onap.org>onap-release <onap-rele...@lists.onap.org> Date: 2018/03/29 07:55 Subject: [Onap-release] FYI - jackson-databind security fix 2.9.5 _______________________________________________ Onap-release mailing list onap-rele...@lists.onap.org https://lists.onap.org/mailman/listinfo/onap-release For teams with CLM issues regarding 2.9.4 and lower, just 2 days ago they released this version: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.5 I am going to see if that clears my CLM issues for the policy projects. Wish my luck. Pam
_______________________________________________ onap-discuss mailing list onap-discuss@lists.onap.org https://lists.onap.org/mailman/listinfo/onap-discuss
