[jira] [Updated] (ZOOKEEPER-4716) upgrade jackson to 2.15.2, suppress two false positive CVE errors
[ https://issues.apache.org/jira/browse/ZOOKEEPER-4716?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] ASF GitHub Bot updated ZOOKEEPER-4716: -- Labels: pull-request-available (was: ) > upgrade jackson to 2.15.2, suppress two false positive CVE errors > - > > Key: ZOOKEEPER-4716 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4716 > Project: ZooKeeper > Issue Type: Improvement >Affects Versions: 3.8.1 >Reporter: Mate Szalay-Beko >Assignee: Mate Szalay-Beko >Priority: Major > Labels: pull-request-available > Time Spent: 10m > Remaining Estimate: 0h > > Our jackson is quite old, I want to upgrade it before release 3.8.2. > Also we have a few false positive CVEs reported by OWASP: > * CVE-2023-35116: according to jackson community, this is not a security > issue, see > [https://github.com/FasterXML/jackson-databind/issues/3972#issuecomment-1596193098] > * CVE-2022-45688: the following CVE is not even jackson related, but a > vulnerability in json-java which we don't use in ZooKeeper > > {code:java} > [INFO] Finished at: 2023-06-30T13:23:38+02:00 > [INFO] > > [ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.1.0:check > (default-cli) on project zookeeper: > [ERROR] > [ERROR] One or more dependencies were identified with vulnerabilities that > have a CVSS score greater than or equal to '0.0': > [ERROR] > [ERROR] jackson-core-2.13.4.jar: CVE-2022-45688(7.5) > [ERROR] jackson-databind-2.13.4.2.jar: CVE-2023-35116(7.5) > {code} > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (ZOOKEEPER-4716) upgrade jackson to 2.15.2, suppress two false positive CVE errors
[ https://issues.apache.org/jira/browse/ZOOKEEPER-4716?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Mate Szalay-Beko updated ZOOKEEPER-4716: Description: Our jackson is quite old, I want to upgrade it before release 3.8.2. Also we have a few false positive CVEs reported by OWASP: * CVE-2023-35116: according to jackson community, this is not a security issue, see [https://github.com/FasterXML/jackson-databind/issues/3972#issuecomment-1596193098] * CVE-2022-45688: the following CVE is not even jackson related, but a vulnerability in json-java which we don't use in ZooKeeper {code:java} [INFO] Finished at: 2023-06-30T13:23:38+02:00 [INFO] [ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.1.0:check (default-cli) on project zookeeper: [ERROR] [ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '0.0': [ERROR] [ERROR] jackson-core-2.13.4.jar: CVE-2022-45688(7.5) [ERROR] jackson-databind-2.13.4.2.jar: CVE-2023-35116(7.5) {code} was: {code:java} [INFO] Finished at: 2023-06-30T13:23:38+02:00 [INFO] [ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.1.0:check (default-cli) on project zookeeper: [ERROR] [ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '0.0': [ERROR] [ERROR] jackson-core-2.13.4.jar: CVE-2022-45688(7.5) [ERROR] jackson-databind-2.13.4.2.jar: CVE-2023-35116(7.5) {code} > upgrade jackson to 2.15.2, suppress two false positive CVE errors > - > > Key: ZOOKEEPER-4716 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4716 > Project: ZooKeeper > Issue Type: Improvement >Affects Versions: 3.8.1 >Reporter: Mate Szalay-Beko >Assignee: Mate Szalay-Beko >Priority: Major > > Our jackson is quite old, I want to upgrade it before release 3.8.2. > Also we have a few false positive CVEs reported by OWASP: > * CVE-2023-35116: according to jackson community, this is not a security > issue, see > [https://github.com/FasterXML/jackson-databind/issues/3972#issuecomment-1596193098] > * CVE-2022-45688: the following CVE is not even jackson related, but a > vulnerability in json-java which we don't use in ZooKeeper > > {code:java} > [INFO] Finished at: 2023-06-30T13:23:38+02:00 > [INFO] > > [ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.1.0:check > (default-cli) on project zookeeper: > [ERROR] > [ERROR] One or more dependencies were identified with vulnerabilities that > have a CVSS score greater than or equal to '0.0': > [ERROR] > [ERROR] jackson-core-2.13.4.jar: CVE-2022-45688(7.5) > [ERROR] jackson-databind-2.13.4.2.jar: CVE-2023-35116(7.5) > {code} > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (ZOOKEEPER-4716) upgrade jackson to 2.15.2, suppress two false positive CVE errors
[ https://issues.apache.org/jira/browse/ZOOKEEPER-4716?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Mate Szalay-Beko updated ZOOKEEPER-4716: Summary: upgrade jackson to 2.15.2, suppress two false positive CVE errors (was: Fix jackson related CVEs: CVE-2022-45688, CVE-2023-35116) > upgrade jackson to 2.15.2, suppress two false positive CVE errors > - > > Key: ZOOKEEPER-4716 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4716 > Project: ZooKeeper > Issue Type: Improvement >Affects Versions: 3.8.1 >Reporter: Mate Szalay-Beko >Assignee: Mate Szalay-Beko >Priority: Major > > {code:java} > [INFO] Finished at: 2023-06-30T13:23:38+02:00 > [INFO] > > [ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.1.0:check > (default-cli) on project zookeeper: > [ERROR] > [ERROR] One or more dependencies were identified with vulnerabilities that > have a CVSS score greater than or equal to '0.0': > [ERROR] > [ERROR] jackson-core-2.13.4.jar: CVE-2022-45688(7.5) > [ERROR] jackson-databind-2.13.4.2.jar: CVE-2023-35116(7.5) > {code} -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (ZOOKEEPER-4716) Fix jackson related CVEs: CVE-2022-45688, CVE-2023-35116
[ https://issues.apache.org/jira/browse/ZOOKEEPER-4716?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Mate Szalay-Beko updated ZOOKEEPER-4716: Description: {code:java} [INFO] Finished at: 2023-06-30T13:23:38+02:00 [INFO] [ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.1.0:check (default-cli) on project zookeeper: [ERROR] [ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '0.0': [ERROR] [ERROR] jackson-core-2.13.4.jar: CVE-2022-45688(7.5) [ERROR] jackson-databind-2.13.4.2.jar: CVE-2023-35116(7.5) {code} > Fix jackson related CVEs: CVE-2022-45688, CVE-2023-35116 > > > Key: ZOOKEEPER-4716 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4716 > Project: ZooKeeper > Issue Type: Improvement >Affects Versions: 3.8.1 >Reporter: Mate Szalay-Beko >Assignee: Mate Szalay-Beko >Priority: Major > > {code:java} > [INFO] Finished at: 2023-06-30T13:23:38+02:00 > [INFO] > > [ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.1.0:check > (default-cli) on project zookeeper: > [ERROR] > [ERROR] One or more dependencies were identified with vulnerabilities that > have a CVSS score greater than or equal to '0.0': > [ERROR] > [ERROR] jackson-core-2.13.4.jar: CVE-2022-45688(7.5) > [ERROR] jackson-databind-2.13.4.2.jar: CVE-2023-35116(7.5) > {code} -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (ZOOKEEPER-4716) Fix jackson related CVEs: CVE-2022-45688, CVE-2023-35116
[ https://issues.apache.org/jira/browse/ZOOKEEPER-4716?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Mate Szalay-Beko updated ZOOKEEPER-4716: Affects Version/s: 3.8.1 > Fix jackson related CVEs: CVE-2022-45688, CVE-2023-35116 > > > Key: ZOOKEEPER-4716 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4716 > Project: ZooKeeper > Issue Type: Improvement >Affects Versions: 3.8.1 >Reporter: Mate Szalay-Beko >Assignee: Mate Szalay-Beko >Priority: Major > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (ZOOKEEPER-4716) Fix jackson related CVEs: CVE-2022-45688, CVE-2023-35116
Mate Szalay-Beko created ZOOKEEPER-4716: --- Summary: Fix jackson related CVEs: CVE-2022-45688, CVE-2023-35116 Key: ZOOKEEPER-4716 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4716 Project: ZooKeeper Issue Type: Improvement Reporter: Mate Szalay-Beko Assignee: Mate Szalay-Beko -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Resolved] (ZOOKEEPER-4628) CVE-2022-42003 CVE-2022-42004 HIGH: upgrade jackson-databind-2.13.3.jar to 2.13.4.1
[ https://issues.apache.org/jira/browse/ZOOKEEPER-4628?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Mate Szalay-Beko resolved ZOOKEEPER-4628. - Resolution: Duplicate Thank you [~ivodujmovic] for reporting this issue and submitting a PR! I see that in the meanwhile this was fixed by ZOOKEEPER-4661. (of course since that time we had an other CVE, but I will take care of that in a separate ticket) > CVE-2022-42003 CVE-2022-42004 HIGH: upgrade jackson-databind-2.13.3.jar to > 2.13.4.1 > --- > > Key: ZOOKEEPER-4628 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4628 > Project: ZooKeeper > Issue Type: Task > Components: security >Affects Versions: 3.5.10, 3.8.0, 3.7.1 >Reporter: Ivo Dujmovic >Priority: Critical > Labels: pull-request-available > Time Spent: 40m > Remaining Estimate: 0h > > Two High issues > [https://nvd.nist.gov/vuln/detail/CVE-2022-42003] > [https://nvd.nist.gov/vuln/detail/CVE-2022-42004] > affect jackson version 2.13.3 which zk should update to 2.13.4.1 > Other projects have done this, but Zookeeper has not. -- This message was sent by Atlassian Jira (v8.20.10#820010)