Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Embedded repackaged Jackson Version has known vulnerabilities #3825

Closed
barrycaceres opened this issue Mar 10, 2023 · 2 comments
Closed

Embedded repackaged Jackson Version has known vulnerabilities #3825

barrycaceres opened this issue Mar 10, 2023 · 2 comments
Labels
bug This issue is a bug. closed-for-staleness

Comments

@barrycaceres
Copy link

barrycaceres commented Mar 10, 2023
edited
Loading

Describe the bug

Jackson libraries are repackaged under a "thirdparty" package and embedded, however the versions used have known security vulnerabilities triggering code scan failures.

See: https://github.com/aws/aws-sdk-java-v2/blob/master/pom.xml#L94

    <jackson.version>2.13.2</jackson.version>
    <jackson.databind.version>2.13.4.2</jackson.databind.version>
    <jacksonjr.version>2.13.2</jacksonjr.version>

Version 2.13.2 has the following known vulnerabilities:

https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.13.2

Latest version 2.14.2 does not have these vulnerabilities.

Expected Behavior

Expect AWS JAR to pass security code scans by not embedding third-party software with known security vulnerabilities.

Current Behavior

Code scan for one of our customers failed because it detected Jackson version 2.13.2

Reproduction Steps

N/A

Possible Solution

Replace Jackson versions with version 2.14.2.

Additional Information/Context

Reported as a security vulnerability over two weeks ago and despite new releases since then, this has not been addressed.

AWS Java SDK version used

2.20.20

JDK version used

openjdk version "11.0.17" 2022-10-18

Operating System and version

macOS 13.2.1
@barrycaceres barrycaceres added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 10, 2023
@debora-ito
Copy link
Member

@barrycaceres the SDK is using jackson-databind 2.13.4.2. If you referring to the following CVEs:

CVE-2022-42004
CVE-2022-42003
CVE-2020-36518

version 2.13.4.2 is not affected. Maven central does not recognize when fixes are backported, but we followed the fixes in their original Github threads - See the "patched versions" section in the Github Security database:
CVE-2022-42004, CVE-2022-42003, CVE-2020-36518

If the security tool you use are reporting these vulnerabilities, maybe their database needs to be updated.

@debora-ito debora-ito added closing-soon This issue will close in 4 days unless further comments are made. and removed needs-triage This issue or PR still needs to be triaged. labels Mar 10, 2023
@github-actions github-actions bot added closed-for-staleness and removed closing-soon This issue will close in 4 days unless further comments are made. labels Mar 12, 2023
@barrycaceres
Copy link
Author

Okay thanks -- I will share with our customer to have them update their security scan tool.

@ericfreese ericfreese mentioned this issue Aug 23, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue is a bug. closed-for-staleness
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@debora-ito @barrycaceres