Hello Apache Qpid Broker-J utilises the jackson-databind [1] component for the purposes of persisting configuration and interpreting the payloads of some network requests. Vulnerability CVE-2017-7525 [2] was recently published against the jackson-databind component.
Whilst Apache Qpid Broker-J distributions include a version of jackson-databind that is affected by the vulnerability, it is believed that Apache Qpid Broker-J product itself is *NOT AFFECTED* by this vulnerability. This is because Broker-J code never enables Jackson's polymorphic deserialisation features: specifically it never makes calls to Object#enableDefaultTyping(...) nor does it use TypeResolverBuilders or annotations that enable the feature. The Broker-J versions involved are: * Apache Qpid Broker-J 7.0.0 - 7.0.2 included jackson-databind 2.8.7. * Apache Qpid Broker-J 6.0.0 - 6.1.5 included jackson-databind 2.5.3. The Apache Qpid project plans to put out new releases (7.0.3 and 6.1.6) of the Broker-J soon. These will include a newer release of jackson-databind that includes the fix for CVE-2017-7525. Kind regards, Keith Wall. [1] https://github.com/FasterXML/jackson-databind [2] https://nvd.nist.gov/vuln/detail/CVE-2017-7525 --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
