[jira] [Updated] (ZOOKEEPER-4716) upgrade jackson to 2.15.2, suppress two false positive CVE errors
[
https://issues.apache.org/jira/browse/ZOOKEEPER-4716?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
ASF GitHub Bot updated ZOOKEEPER-4716:
--
Labels: pull-request-available (was: )
> upgrade jackson to 2.15.2, suppress two false positive CVE errors
> -
>
> Key: ZOOKEEPER-4716
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4716
> Project: ZooKeeper
> Issue Type: Improvement
>Affects Versions: 3.8.1
>Reporter: Mate Szalay-Beko
>Assignee: Mate Szalay-Beko
>Priority: Major
> Labels: pull-request-available
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Our jackson is quite old, I want to upgrade it before release 3.8.2.
> Also we have a few false positive CVEs reported by OWASP:
> * CVE-2023-35116: according to jackson community, this is not a security
> issue, see
> [https://github.com/FasterXML/jackson-databind/issues/3972#issuecomment-1596193098]
> * CVE-2022-45688: the following CVE is not even jackson related, but a
> vulnerability in json-java which we don't use in ZooKeeper
>
> {code:java}
> [INFO] Finished at: 2023-06-30T13:23:38+02:00
> [INFO]
>
> [ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.1.0:check
> (default-cli) on project zookeeper:
> [ERROR]
> [ERROR] One or more dependencies were identified with vulnerabilities that
> have a CVSS score greater than or equal to '0.0':
> [ERROR]
> [ERROR] jackson-core-2.13.4.jar: CVE-2022-45688(7.5)
> [ERROR] jackson-databind-2.13.4.2.jar: CVE-2023-35116(7.5)
> {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (ZOOKEEPER-4716) upgrade jackson to 2.15.2, suppress two false positive CVE errors
[
https://issues.apache.org/jira/browse/ZOOKEEPER-4716?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mate Szalay-Beko updated ZOOKEEPER-4716:
Description:
Our jackson is quite old, I want to upgrade it before release 3.8.2.
Also we have a few false positive CVEs reported by OWASP:
* CVE-2023-35116: according to jackson community, this is not a security
issue, see
[https://github.com/FasterXML/jackson-databind/issues/3972#issuecomment-1596193098]
* CVE-2022-45688: the following CVE is not even jackson related, but a
vulnerability in json-java which we don't use in ZooKeeper
{code:java}
[INFO] Finished at: 2023-06-30T13:23:38+02:00
[INFO]
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.1.0:check
(default-cli) on project zookeeper:
[ERROR]
[ERROR] One or more dependencies were identified with vulnerabilities that have
a CVSS score greater than or equal to '0.0':
[ERROR]
[ERROR] jackson-core-2.13.4.jar: CVE-2022-45688(7.5)
[ERROR] jackson-databind-2.13.4.2.jar: CVE-2023-35116(7.5)
{code}
was:
{code:java}
[INFO] Finished at: 2023-06-30T13:23:38+02:00
[INFO]
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.1.0:check
(default-cli) on project zookeeper:
[ERROR]
[ERROR] One or more dependencies were identified with vulnerabilities that have
a CVSS score greater than or equal to '0.0':
[ERROR]
[ERROR] jackson-core-2.13.4.jar: CVE-2022-45688(7.5)
[ERROR] jackson-databind-2.13.4.2.jar: CVE-2023-35116(7.5)
{code}
> upgrade jackson to 2.15.2, suppress two false positive CVE errors
> -
>
> Key: ZOOKEEPER-4716
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4716
> Project: ZooKeeper
> Issue Type: Improvement
>Affects Versions: 3.8.1
>Reporter: Mate Szalay-Beko
>Assignee: Mate Szalay-Beko
>Priority: Major
>
> Our jackson is quite old, I want to upgrade it before release 3.8.2.
> Also we have a few false positive CVEs reported by OWASP:
> * CVE-2023-35116: according to jackson community, this is not a security
> issue, see
> [https://github.com/FasterXML/jackson-databind/issues/3972#issuecomment-1596193098]
> * CVE-2022-45688: the following CVE is not even jackson related, but a
> vulnerability in json-java which we don't use in ZooKeeper
>
> {code:java}
> [INFO] Finished at: 2023-06-30T13:23:38+02:00
> [INFO]
>
> [ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.1.0:check
> (default-cli) on project zookeeper:
> [ERROR]
> [ERROR] One or more dependencies were identified with vulnerabilities that
> have a CVSS score greater than or equal to '0.0':
> [ERROR]
> [ERROR] jackson-core-2.13.4.jar: CVE-2022-45688(7.5)
> [ERROR] jackson-databind-2.13.4.2.jar: CVE-2023-35116(7.5)
> {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (ZOOKEEPER-4716) upgrade jackson to 2.15.2, suppress two false positive CVE errors
[
https://issues.apache.org/jira/browse/ZOOKEEPER-4716?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mate Szalay-Beko updated ZOOKEEPER-4716:
Summary: upgrade jackson to 2.15.2, suppress two false positive CVE errors
(was: Fix jackson related CVEs: CVE-2022-45688, CVE-2023-35116)
> upgrade jackson to 2.15.2, suppress two false positive CVE errors
> -
>
> Key: ZOOKEEPER-4716
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4716
> Project: ZooKeeper
> Issue Type: Improvement
>Affects Versions: 3.8.1
>Reporter: Mate Szalay-Beko
>Assignee: Mate Szalay-Beko
>Priority: Major
>
> {code:java}
> [INFO] Finished at: 2023-06-30T13:23:38+02:00
> [INFO]
>
> [ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.1.0:check
> (default-cli) on project zookeeper:
> [ERROR]
> [ERROR] One or more dependencies were identified with vulnerabilities that
> have a CVSS score greater than or equal to '0.0':
> [ERROR]
> [ERROR] jackson-core-2.13.4.jar: CVE-2022-45688(7.5)
> [ERROR] jackson-databind-2.13.4.2.jar: CVE-2023-35116(7.5)
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (ZOOKEEPER-4716) Fix jackson related CVEs: CVE-2022-45688, CVE-2023-35116
[
https://issues.apache.org/jira/browse/ZOOKEEPER-4716?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mate Szalay-Beko updated ZOOKEEPER-4716:
Description:
{code:java}
[INFO] Finished at: 2023-06-30T13:23:38+02:00
[INFO]
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.1.0:check
(default-cli) on project zookeeper:
[ERROR]
[ERROR] One or more dependencies were identified with vulnerabilities that have
a CVSS score greater than or equal to '0.0':
[ERROR]
[ERROR] jackson-core-2.13.4.jar: CVE-2022-45688(7.5)
[ERROR] jackson-databind-2.13.4.2.jar: CVE-2023-35116(7.5)
{code}
> Fix jackson related CVEs: CVE-2022-45688, CVE-2023-35116
>
>
> Key: ZOOKEEPER-4716
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4716
> Project: ZooKeeper
> Issue Type: Improvement
>Affects Versions: 3.8.1
>Reporter: Mate Szalay-Beko
>Assignee: Mate Szalay-Beko
>Priority: Major
>
> {code:java}
> [INFO] Finished at: 2023-06-30T13:23:38+02:00
> [INFO]
>
> [ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.1.0:check
> (default-cli) on project zookeeper:
> [ERROR]
> [ERROR] One or more dependencies were identified with vulnerabilities that
> have a CVSS score greater than or equal to '0.0':
> [ERROR]
> [ERROR] jackson-core-2.13.4.jar: CVE-2022-45688(7.5)
> [ERROR] jackson-databind-2.13.4.2.jar: CVE-2023-35116(7.5)
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (ZOOKEEPER-4716) Fix jackson related CVEs: CVE-2022-45688, CVE-2023-35116
[ https://issues.apache.org/jira/browse/ZOOKEEPER-4716?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Mate Szalay-Beko updated ZOOKEEPER-4716: Affects Version/s: 3.8.1 > Fix jackson related CVEs: CVE-2022-45688, CVE-2023-35116 > > > Key: ZOOKEEPER-4716 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4716 > Project: ZooKeeper > Issue Type: Improvement >Affects Versions: 3.8.1 >Reporter: Mate Szalay-Beko >Assignee: Mate Szalay-Beko >Priority: Major > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (ZOOKEEPER-4716) Fix jackson related CVEs: CVE-2022-45688, CVE-2023-35116
Mate Szalay-Beko created ZOOKEEPER-4716: --- Summary: Fix jackson related CVEs: CVE-2022-45688, CVE-2023-35116 Key: ZOOKEEPER-4716 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4716 Project: ZooKeeper Issue Type: Improvement Reporter: Mate Szalay-Beko Assignee: Mate Szalay-Beko -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Resolved] (ZOOKEEPER-4628) CVE-2022-42003 CVE-2022-42004 HIGH: upgrade jackson-databind-2.13.3.jar to 2.13.4.1
[ https://issues.apache.org/jira/browse/ZOOKEEPER-4628?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Mate Szalay-Beko resolved ZOOKEEPER-4628. - Resolution: Duplicate Thank you [~ivodujmovic] for reporting this issue and submitting a PR! I see that in the meanwhile this was fixed by ZOOKEEPER-4661. (of course since that time we had an other CVE, but I will take care of that in a separate ticket) > CVE-2022-42003 CVE-2022-42004 HIGH: upgrade jackson-databind-2.13.3.jar to > 2.13.4.1 > --- > > Key: ZOOKEEPER-4628 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4628 > Project: ZooKeeper > Issue Type: Task > Components: security >Affects Versions: 3.5.10, 3.8.0, 3.7.1 >Reporter: Ivo Dujmovic >Priority: Critical > Labels: pull-request-available > Time Spent: 40m > Remaining Estimate: 0h > > Two High issues > [https://nvd.nist.gov/vuln/detail/CVE-2022-42003] > [https://nvd.nist.gov/vuln/detail/CVE-2022-42004] > affect jackson version 2.13.3 which zk should update to 2.13.4.1 > Other projects have done this, but Zookeeper has not. -- This message was sent by Atlassian Jira (v8.20.10#820010)
