Uploaded image for project: 'Cassandra'
  1. Cassandra
  2. CASSANDRA-14427

Bump jackson version to >= 2.9.5

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Normal
    • Resolution: Fixed
    • 4.0-alpha1, 4.0
    • None
    • None

    Description

      The Jackson being used by Cassandra is really old (1.9.2, and still references codehaus (Jackson 1) instead of fasterxml (Jackson 2)). 

      There have been a few jackson vulnerabilities recently (mostly around deserialization which allows arbitrary code execution)

      https://nvd.nist.gov/vuln/detail/CVE-2017-7525
      https://nvd.nist.gov/vuln/detail/CVE-2017-15095
      https://nvd.nist.gov/vuln/detail/CVE-2018-1327
      https://nvd.nist.gov/vuln/detail/CVE-2018-7489

      Given that Jackson in Cassandra is really old and seems to be used also for reading in values, it looks worthwhile to update Jackson to 2.9.5. 

      Attachments

        1. 2.1-14427.txt
          22 kB
          Lerh Chuan Low
        2. 2.2-14427.txt
          22 kB
          Lerh Chuan Low
        3. 3.0-14427.txt
          18 kB
          Lerh Chuan Low
        4. 3.X-14427.txt
          28 kB
          Lerh Chuan Low
        5. trunk-14427.txt
          30 kB
          Lerh Chuan Low

        Issue Links

          Activity

            People

              Lerh Low Lerh Chuan Low
              Lerh Low Lerh Chuan Low
              Lerh Chuan Low
              Jason Brown
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: