[CASSANDRA-14427] Bump jackson version to >= 2.9.5 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Normal
Resolution: Fixed
Fix Version/s: 4.0-alpha1, 4.0
Component/s: None
Labels:
None

Description

The Jackson being used by Cassandra is really old (1.9.2, and still references codehaus (Jackson 1) instead of fasterxml (Jackson 2)).

There have been a few jackson vulnerabilities recently (mostly around deserialization which allows arbitrary code execution)

https://nvd.nist.gov/vuln/detail/CVE-2017-7525
https://nvd.nist.gov/vuln/detail/CVE-2017-15095
https://nvd.nist.gov/vuln/detail/CVE-2018-1327
https://nvd.nist.gov/vuln/detail/CVE-2018-7489

Given that Jackson in Cassandra is really old and seems to be used also for reading in values, it looks worthwhile to update Jackson to 2.9.5.

Attachments

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

2.1-14427.txt
04/May/18 02:51
22 kB
Lerh Chuan Low
2.2-14427.txt
04/May/18 02:51
22 kB
Lerh Chuan Low
3.0-14427.txt
30/Apr/18 06:54
18 kB
Lerh Chuan Low
3.X-14427.txt
30/Apr/18 06:54
28 kB
Lerh Chuan Low
trunk-14427.txt
30/Apr/18 02:07
30 kB
Lerh Chuan Low

Issue Links

causes

CASSANDRA-18002 Update NetBeans project file for dependency changes since 7th July 2021

Resolved

Activity

People

Assignee:: Lerh Chuan Low

Reporter:: Lerh Chuan Low

Authors:: Lerh Chuan Low

Reviewers:: Jason Brown

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 30/Apr/18 02:05

Updated:: 01/Nov/22 20:09

Resolved:: 18/May/18 05:29