Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhancement: Upgrade Jackson to 2.12.6 or 2.13.1 #5641

Closed
robelcik opened this issue Mar 7, 2022 · 7 comments
Closed

Enhancement: Upgrade Jackson to 2.12.6 or 2.13.1 #5641

robelcik opened this issue Mar 7, 2022 · 7 comments
Assignees
@AlanRoth
Labels
Status: Accepted Confirmed defect or accepted improvement to implement, issue has been escalated to Platform Dev Type: Enhancement Label issue as an enhancement request

Comments

@robelcik
Copy link

robelcik commented Mar 7, 2022
edited
Loading

Description

Upgrade Jackson to 2.12.6, as currently used version contains known (possible) DoS vulnerability.

Expected Outcome

Jackson upgraded to the latest 2.12.x

Current Outcome

Currently used Jackson contains a known possible DoS vulnerability:
FasterXML/jackson-databind#3328
https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2326698

In December, I reported it to security@payara.fish but I have not got any reply.
In February, I added related post to forum.payara.fish but I have not got any reply.
That's why I'm submitting a request here.

Alternatives

Upgrade Jackson to the latest 2.13.x
@robelcik robelcik added Status: Open Issue has been triaged by the front-line engineers and is being worked on verification Type: Enhancement Label issue as an enhancement request labels Mar 7, 2022
@AlanRoth AlanRoth self-assigned this Mar 7, 2022
@AlanRoth
Copy link

AlanRoth commented Mar 8, 2022

Hi @robelcik,

It appears we haven't received any emails for Jackson vulnerabilities to our security@payara.fish inbox in December, we apologise about that, we actively monitor and aim to investigate all security requests.

We are investigating the impact of the vulnerability that you have shared.

Thank you,
Alan

@AlanRoth
Copy link

AlanRoth commented Mar 8, 2022

Hi @robelcik,

The server itself should not be vulnerable as Jackson does not seem to be used to process any arbitrary user input - deployed applications may be affected.

I have raised FISH-6067 to keep track of the resolution of this issue.

Thank you,
Alan

@AlanRoth AlanRoth added Status: Accepted Confirmed defect or accepted improvement to implement, issue has been escalated to Platform Dev and removed Status: Open Issue has been triaged by the front-line engineers and is being worked on verification labels Mar 8, 2022
@robelcik
Copy link
Author

robelcik commented Mar 9, 2022

Thank you, @AlanRoth!

@robelcik
Copy link
Author

robelcik commented Mar 14, 2022
edited
Loading

Hello.
There are new findings in that area, which suggest using 2.13.x rather than 2.12.x.

@AlvinYueChao
Copy link

2.13.x and 2.12.6 not work for the below issue
FasterXML/jackson-databind#2816

@MarkWareham MarkWareham mentioned this issue Mar 16, 2022
Merged
@JamesHillyard JamesHillyard mentioned this issue Mar 17, 2022
Merged
@AlanRoth
Copy link

Hi @robelcik,

We have upgraded Jackson to 2.12.6, it will be available in the next Community and Enterprise releases.

Thank you,
Alan

@robelcik
Copy link
Author

Thank you, guys!

@JamesHillyard: As for now, 2.13.2 is the latest greatest.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AlanRoth AlanRoth

Labels
Status: Accepted Confirmed defect or accepted improvement to implement, issue has been escalated to Platform Dev Type: Enhancement Label issue as an enhancement request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@AlvinYueChao @robelcik @AlanRoth