[ovirt-devel] Re: [External] : Re: Re: Jackson-databind related changes

[Shubha Kulkarni]

Thanks for the detailed reply. I will look into right way to update these 
dependencies.
Thanks again,
Shubha

From: Martin Perina 
Sent: Friday, September 15, 2023 3:56 AM
To: Shubha Kulkarni 
Cc: devel@ovirt.org
Subject: [External] : Re: [ovirt-devel] Re: Jackson-databind related changes

Hi,

oVirt Engine is using JBoss Modules feature to load libraries, so when a 
library version is mentioned in pom.xml it's unrelated to which version is 
being using during runtime. Here's the detailed description:

1. jackson-databind 2.12.7 mentioned pom.xml is actually being used only when 
building the project directly with maven (development purposes)

https://github.com/oVirt/vdsm-jsonrpc-java/blob/master/pom.xml.in#L61

https://github.com/oVirt/vdsm-jsonrpc-java/blob/master/client/pom.xml.in

2. When building the project as a part of RPM build, then maven (respectively 
xmvn) is invoked to use only libraries installed locally as a part of RPM 
dependencies

https://github.com/oVirt/vdsm-jsonrpc-java/blob/master/vdsm-jsonrpc-java.spec.in#L46
   So on CS8 we can easily find out the jackson-databind package version being 
used during RPM build
# dnf repoquery --whatprovides 'jackson-databind >= 2.10.0'
jackson-databind-0:2.10.0-1.module_el8.4.0+595+e59c9af2.noarch
jackson-databind-0:2.10.0-1.module_el8.4.0+782+1d1c31a0.noarch

3. On runtime vdsm-jsonrpc-java is being loaded using JBoss Modules as a part 
of oVirt Engine:

https://github.com/oVirt/ovirt-engine/blob/master/backend/manager/dependencies/common/src/main/modules/org/ovirt/vdsm-jsonrpc-java/main/module.xml
   which shows that vdsm-jsonrpc-java depends on 
com.fasterxml.jackson.core.jackson-databind module, which is included in the 
relevant WildFly release.
   Currently oVirt Engine is using WildFly 24.0.1, so you can see 
jackson-databind version using following command:
# rpm -ql ovirt-engine-wildfly | grep 'jackson-databind-'

/usr/share/ovirt-engine-wildfly/modules/system/layers/base/com/fasterxml/jackson/core/jackson-databind/main/jackson-databind-2.12.3.jar

So if you want to bump jackson-databind version for oVirt Engine runtime you 
have two possibilities:

1. You can deliver updated JBoss module as a part of 
ovirt-engine-wildfly-overlay RPM: 
https://github.com/oVirt/ovirt-engine-wildfly/overlay
2. You can try to bump WildFly to latest version in ovirt-engine-wildfly RPM: 
https://github.com/oVirt/ovirt-engine-wildfly/
   Please be awate that at the moment it's not possible to use latest WildFly 
version, because oVirt Engine is using classic security model, which was 
removed in favor of Elytron in WildFly 25.
   So to bump WildFly version, you would need to implement changes in oVirt 
Engine to use Elytron.

Regarding verification the best way is to verify functionality by execution of 
oVirt System Tests: 
https://github.com/ovirt/ovirt-system-tests

Regards,
Martin


On Thu, Sep 14, 2023 at 11:44 PM Shubha Kulkarni 
mailto:shubha.kulka...@oracle.com>> wrote:
Hi All

I am yet to get any feedback on my query. So I thought I will reach out again 
to see if any one has comment on this -

Background:
I see the commit for CVE-2020-36518 to vdsm-json-rpc to bump jackson version to 
2.12.7

[ovirt-devel] Re: Jackson-databind related changes

[Martin Perina]

Hi,

oVirt Engine is using JBoss Modules feature to load libraries, so when a
library version is mentioned in pom.xml it's unrelated to which version is
being using during runtime. Here's the detailed description:

1. jackson-databind 2.12.7 mentioned pom.xml is actually being used only
when building the project directly with maven (development purposes)

https://github.com/oVirt/vdsm-jsonrpc-java/blob/master/pom.xml.in#L61

https://github.com/oVirt/vdsm-jsonrpc-java/blob/master/client/pom.xml.in

2. When building the project as a part of RPM build, then maven
(respectively xmvn) is invoked to use only libraries installed locally as a
part of RPM dependencies

https://github.com/oVirt/vdsm-jsonrpc-java/blob/master/vdsm-jsonrpc-java.spec.in#L46
   So on CS8 we can easily find out the jackson-databind package version
being used during RPM build
# dnf repoquery --whatprovides 'jackson-databind >= 2.10.0'
jackson-databind-0:2.10.0-1.module_el8.4.0+595+e59c9af2.noarch
jackson-databind-0:2.10.0-1.module_el8.4.0+782+1d1c31a0.noarch

3. On runtime vdsm-jsonrpc-java is being loaded using JBoss Modules as a
part of oVirt Engine:

https://github.com/oVirt/ovirt-engine/blob/master/backend/manager/dependencies/common/src/main/modules/org/ovirt/vdsm-jsonrpc-java/main/module.xml
   which shows that vdsm-jsonrpc-java depends on
com.fasterxml.jackson.core.jackson-databind module, which is included in
the relevant WildFly release.
   Currently oVirt Engine is using WildFly 24.0.1, so you can see
jackson-databind version using following command:
# rpm -ql ovirt-engine-wildfly | grep 'jackson-databind-'

/usr/share/ovirt-engine-wildfly/modules/system/layers/base/com/fasterxml/jackson/core/jackson-databind/main/jackson-databind-2.12.3.jar

So if you want to bump jackson-databind version for oVirt Engine runtime
you have two possibilities:

1. You can deliver updated JBoss module as a part of
ovirt-engine-wildfly-overlay RPM:
https://github.com/oVirt/ovirt-engine-wildfly/overlay
2. You can try to bump WildFly to latest version in ovirt-engine-wildfly
RPM: https://github.com/oVirt/ovirt-engine-wildfly/
   Please be awate that at the moment it's not possible to use latest
WildFly version, because oVirt Engine is using classic security model,
which was removed in favor of Elytron in WildFly 25.
   So to bump WildFly version, you would need to implement changes in oVirt
Engine to use Elytron.

Regarding verification the best way is to verify functionality by execution
of oVirt System Tests: https://github.com/ovirt/ovirt-system-tests

Regards,
Martin


On Thu, Sep 14, 2023 at 11:44 PM Shubha Kulkarni 
wrote:

> Hi All
>
>
>
> I am yet to get any feedback on my query. So I thought I will reach out
> again to see if any one has comment on this -
>
>
>
> Background:
>
> I see the commit for CVE-2020-36518 to vdsm-json-rpc to bump jackson
> version to 2.12.7
>
>
> https://github.com/oVirt/vdsm-jsonrpc-java/commit/d1f423809fd491da7b5324b308dac896ded645a7
>
> This change in only made in pom.xml is made with "default" scope (i.e
> compile).
>
>
>
> Queries:
>
> #1. So at runtime, that means this jar should be explicitly packaged
> somewhere else. I am wondering how is this newer jackson jar is picked up?
> Does it have anything to do with the change outside pom.xml that I don't
> see?
>
>
>
> #2. Ideally, I would like to verify that vdsm-jsonrpc-java application is
> using jackson-core2.12.7 and jackson-databaind 2.12.7-1 when installed on
> engine system. What is the best way to do it?
>
>
>
> Thanks
>
>
>
> *From:* Shubha Kulkarni
> *Sent:* Thursday, September 7, 2023 1:47 PM
> *To:* devel@ovirt.org
> *Subject:* Jackson-databind related changes
>
>
>
> Hello!
>
>
>
> There have been changes added to ovirt-engine and vdsm-jsonrpc-java repos
> to address security vulnerabilities in jackson-databind package. I see that
> the change is made to bump up version of jackson-databind package to
> 2.12.7.1.
>
> I am wondering what is the rpm version for ovirt-engine and
> vdsm-jsonrpc-java that has these fixes? Also, I am curious what is the best
> way to validate these changes?
>
>
>
> Thanks,
>
> Shubha
> ___
> Devel mailing list -- devel@ovirt.org
> To unsubscribe send an email to devel-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/devel@ovirt.org/message/UDIWOPJMWDCRB53I7P7H2YA7MUEY3QMX/
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Devel mailing list -- devel@ovirt.org
To unsubscribe send an email to devel-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 

[ovirt-devel] Re: Jackson-databind related changes

[Sandro Bonazzola]

@Martin Perina  can you help here?

Il giorno gio 14 set 2023 alle ore 23:44 Shubha Kulkarni <
shubha.kulka...@oracle.com> ha scritto:

> Hi All
>
>
>
> I am yet to get any feedback on my query. So I thought I will reach out
> again to see if any one has comment on this -
>
>
>
> Background:
>
> I see the commit for CVE-2020-36518 to vdsm-json-rpc to bump jackson
> version to 2.12.7
>
>
> https://github.com/oVirt/vdsm-jsonrpc-java/commit/d1f423809fd491da7b5324b308dac896ded645a7
>
> This change in only made in pom.xml is made with "default" scope (i.e
> compile).
>
>
>
> Queries:
>
> #1. So at runtime, that means this jar should be explicitly packaged
> somewhere else. I am wondering how is this newer jackson jar is picked up?
> Does it have anything to do with the change outside pom.xml that I don't
> see?
>
>
>
> #2. Ideally, I would like to verify that vdsm-jsonrpc-java application is
> using jackson-core2.12.7 and jackson-databaind 2.12.7-1 when installed on
> engine system. What is the best way to do it?
>
>
>
> Thanks
>
>
>
> *From:* Shubha Kulkarni
> *Sent:* Thursday, September 7, 2023 1:47 PM
> *To:* devel@ovirt.org
> *Subject:* Jackson-databind related changes
>
>
>
> Hello!
>
>
>
> There have been changes added to ovirt-engine and vdsm-jsonrpc-java repos
> to address security vulnerabilities in jackson-databind package. I see that
> the change is made to bump up version of jackson-databind package to
> 2.12.7.1.
>
> I am wondering what is the rpm version for ovirt-engine and
> vdsm-jsonrpc-java that has these fixes? Also, I am curious what is the best
> way to validate these changes?
>
>
>
> Thanks,
>
> Shubha
> ___
> Devel mailing list -- devel@ovirt.org
> To unsubscribe send an email to devel-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/devel@ovirt.org/message/UDIWOPJMWDCRB53I7P7H2YA7MUEY3QMX/
>


-- 

Sandro Bonazzola

MANAGER, SOFTWARE ENGINEERING

Red Hat In-Vehicle Operating System

Red Hat EMEA 


*Red Hat respects your work life balance. Therefore there is no need to
answer this email out of your office hours.*
___
Devel mailing list -- devel@ovirt.org
To unsubscribe send an email to devel-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/devel@ovirt.org/message/PZIUO2FDWPPK4KS3G45UFMAMIBQWQJZK/