Deleting vulnerable artifacts from system folder

Wed, 11 May 2022 04:52:10 -0700 

I have a Karaf installation that has in the system folder jackson-databind
2.12.1 installed.
A security scanner detects that a vulnerable version of jackon-databind is
installed (2.12.1 is affected by CVE-2020-36518).
This version of jackson-databind does not become active because another
feature brings  2.13.2.2:

karaf@root()> la -u | grep jackson-databind
 21 | Active   |  35 | 2.13.2.2                            |
mvn:com.fasterxml.jackson.core/jackson-databind/2.13.2.2

karaf@root()>

The Karaf instance has no access to the internet.
When I delete jackson-databind 2.12.1 from the system folder then the
following error occurs at startup:

org.apache.karaf.features.internal.util.MultiException: Error:
        Error downloading
mvn:com.fasterxml.jackson.core/jackson-databind/2.12.1
        at
org.apache.karaf.features.internal.download.impl.MavenDownloadManager$MavenDownloader.<init>(MavenDownloadManager.java:91)
        at
org.apache.karaf.features.internal.download.impl.MavenDownloadManager.createDownloader(MavenDownloadManager.java:72)
        at
org.apache.karaf.features.internal.region.Subsystem.downloadBundles(Subsystem.java:457)
        at
org.apache.karaf.features.internal.region.Subsystem.downloadBundles(Subsystem.java:452)
        at
org.apache.karaf.features.internal.region.SubsystemResolver.resolve(SubsystemResolver.java:224)
        at
org.apache.karaf.features.internal.service.Deployer.deploy(Deployer.java:399)
        at
org.apache.karaf.features.internal.service.Deployer.handlePrerequisites(Deployer.java:1121)
        at
org.apache.karaf.features.internal.service.Deployer.deploy(Deployer.java:394)
        at
org.apache.karaf.features.internal.service.FeaturesServiceImpl.doProvision(FeaturesServiceImpl.java:1069)
        at
org.apache.karaf.features.internal.service.FeaturesServiceImpl.lambda$doProvisionInThread$13(FeaturesServiceImpl.java:1004)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
        Suppressed: java.io.IOException: Error downloading
mvn:com.fasterxml.jackson.core/jackson-databind/2.12.1


Is it necessary that Karaf resolves this artifact despite it is at the end
not used?

Regard

   Richard

Reply via email to