Hey Richard,
The small truth about "system" folder is that its a just a fallback
repository, which needs to follow a maven repo directory structure.
Runtime validation is based on manifests, not URIs. Instead of removing
affected artifact you can simply copy in place of it a updated one. So
feature definitions stays intact, resolver will simply go over retrieved
manifest and report issue if its out of range.
I've done this exercise with log4j2/pax-logging updates last December
without any major trouble. All you have to do is cleaning up cache or
calling "update 21" (or whatever bundle id is assigned to jackson for
you). I know its a bad hack, but that's shortest way to stay CVE clear.
If you want a proper way involving boot features (not an
startup.properties entry), then you can copy a new artifact using proper
coordinates into
system/.../jackson-databind/2.13.2.2/jackson-databind-2.13.2.2.jar and
then use blacklists/overrides and force use of a clear artifact.
Example file:
https://github.com/splatch/openhab-distro/blob/2ecea7e5a2d573cdd6fce394e562ad3bea0a0c48/distributions/openhab/processing.xml
(make sure you have these contents in
$KARAF_HOME/etc/org.apache.karaf.features.xml)
Again bringing overrides requires you to clean runtime cache to force
re-resolving of artifacts.
Let me know if any of these helps.
Best,
Łukasz
On 11.05.2022 13:51, Richard Hierlmeier wrote:
I have a Karaf installation that has in the system folder
jackson-databind 2.12.1 installed.
A security scanner detects that a vulnerable version of jackon-databind
is installed (2.12.1 is affected by CVE-2020-36518).
This version of jackson-databind does not become active because another
feature brings 2.13.2.2 <http://2.13.2.2>:
karaf@root()> la -u | grep jackson-databind
21 | Active | 35 | 2.13.2.2 |
mvn:com.fasterxml.jackson.core/jackson-databind/2.13.2.2
karaf@root()>
The Karaf instance has no access to the internet.
When I delete jackson-databind 2.12.1 from the system folder then the
following error occurs at startup:
org.apache.karaf.features.internal.util.MultiException: Error:
Error downloading
mvn:com.fasterxml.jackson.core/jackson-databind/2.12.1
at
org.apache.karaf.features.internal.download.impl.MavenDownloadManager$MavenDownloader.<init>(MavenDownloadManager.java:91)
at
org.apache.karaf.features.internal.download.impl.MavenDownloadManager.createDownloader(MavenDownloadManager.java:72)
at
org.apache.karaf.features.internal.region.Subsystem.downloadBundles(Subsystem.java:457)
at
org.apache.karaf.features.internal.region.Subsystem.downloadBundles(Subsystem.java:452)
at
org.apache.karaf.features.internal.region.SubsystemResolver.resolve(SubsystemResolver.java:224)
at
org.apache.karaf.features.internal.service.Deployer.deploy(Deployer.java:399)
at
org.apache.karaf.features.internal.service.Deployer.handlePrerequisites(Deployer.java:1121)
at
org.apache.karaf.features.internal.service.Deployer.deploy(Deployer.java:394)
at
org.apache.karaf.features.internal.service.FeaturesServiceImpl.doProvision(FeaturesServiceImpl.java:1069)
at
org.apache.karaf.features.internal.service.FeaturesServiceImpl.lambda$doProvisionInThread$13(FeaturesServiceImpl.java:1004)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Suppressed: java.io.IOException: Error downloading
mvn:com.fasterxml.jackson.core/jackson-databind/2.12.1
Is it necessary that Karaf resolves this artifact despite it is at the
end not used?
Regard
Richard
