vulnerable dependencies flagged by WhiteSource

[passuied]

Hi,
We are using the KCL jars and our IT Sec department has flagged the following dependency jars as vulnerable:

• Jackson Core: In Jackson Core before version 2.8.6 if the REST endpoint consumes POST requests with JSON or XML data and data are invalid, the first unrecognized token is printed to server.log. If the first token is word of length 10MB, the whole word is printed. This is potentially dangerous and can be used to attack the server by filling the disk with logs.
• Jackson Databind: FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
• Google Guava: Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

Could a new version be created with dependencies to patched versions?

Thanks

[sahilpalvia]

Thanks for reporting this. We have upgraded the version of the guava library for KCL v1.x and v2.x. They should be available with 2.0.3 (released) and once 1.9.3 is available. As for the jackson dependencies, they come from the AWS SDK, and you can read here for the fix .

[passuied]

Thanks for the quick turnaround