[CASSANDRA-16056] Remove jackson-mapper-asl-1.9.13 to mitigate CVE-2019-10172 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Normal
Resolution: Won't Fix
Fix Version/s: 2.2.x, 3.0.26
Component/s: Dependencies
Labels:
None

Bug Category:
Security
Severity:
Normal
Complexity:
Low Hanging Fruit
Discovered By:
User Report
Platform:

All
Impacts:

Security

Description

As a Cassandra consumer
I want the jackson-mapper-asl removed
So that I do not suffer risks that are published in that dependency

Swapping the codehause libraries over to jackson-databind resulted in CVE-2019-10172 being mitigated in 3.11. See ~~CASSANDRA-15867~~;

Author: Stefan Miklosovic <stefan.miklosovic@instaclustr.com>  2020-06-13 16:09:00
Committer: Brandon Williams <brandonwilliams@apache.org>  2020-06-17 17:21:35
Parent: e49853914bd407827093cebf5151db0ebe2eba9e (Merge branch 'cassandra-3.0' into cassandra-3.11)
Child:  ac289270f2bb3bb7251319f7f71d6c66a4272db4 (Merge branch 'cassandra-3.0' into cassandra-3.11)
Branches: 3.11.7, cassandra-3.11, remotes/origin/cassandra-3.11, remotes/origin/trunk, trunk
Follows: cassandra-3.11.6
Precedes: cassandra-3.11.7

    update Jackson to 2.9.10
    
    Patch by Stefan Miklosovic, reviewed by brandonwilliams for
    CASSANDRA-15867

---------------------------------- build.xml ----------------------------------
index 0724dbb29c..25a47335b9 100644
@@ -406,8 +406,9 @@
           <dependency groupId="org.slf4j" artifactId="jcl-over-slf4j" version="1.7.7" />
           <dependency groupId="ch.qos.logback" artifactId="logback-core" version="1.1.3"/>
           <dependency groupId="ch.qos.logback" artifactId="logback-classic" version="1.1.3"/>
-          <dependency groupId="org.codehaus.jackson" artifactId="jackson-core-asl" version="1.9.2"/>
-          <dependency groupId="org.codehaus.jackson" artifactId="jackson-mapper-asl" version="1.9.2"/>
+          <dependency groupId="com.fasterxml.jackson.core" artifactId="jackson-core" version="2.9.10"/>
+          <dependency groupId="com.fasterxml.jackson.core" artifactId="jackson-databind" version="2.9.10.4"/>
+          <dependency groupId="com.fasterxml.jackson.core" artifactId="jackson-annotations" version="2.9.10"/>
           <dependency groupId="com.googlecode.json-simple" artifactId="json-simple" version="1.1"/>
           <dependency groupId="com.boundary" artifactId="high-scale-lib" version="1.0.6"/>
           <dependency groupId="com.github.jbellis" artifactId="jamm" version="0.3.0"/>
@@ -627,8 +628,9 @@
         <dependency groupId="org.slf4j" artifactId="slf4j-api"/>
         <dependency groupId="org.slf4j" artifactId="log4j-over-slf4j"/>
         <dependency groupId="org.slf4j" artifactId="jcl-over-slf4j"/>
-        <dependency groupId="org.codehaus.jackson" artifactId="jackson-core-asl"/>
-        <dependency groupId="org.codehaus.jackson" artifactId="jackson-mapper-asl"/>
+        <dependency groupId="com.fasterxml.jackson.core" artifactId="jackson-core"/>
+        <dependency groupId="com.fasterxml.jackson.core" artifactId="jackson-databind"/>
+        <dependency groupId="com.fasterxml.jackson.core" artifactId="jackson-annotations"/>
         <dependency groupId="com.googlecode.json-simple" artifactId="json-simple"/>
         <dependency groupId="com.boundary" artifactId="high-scale-lib"/>
         <dependency groupId="org.yaml" artifactId="snakeyaml"/>

Attachments

Issue Links

blocks

CASSANDRA-14612 Please add OWASP Dependency Check to the build (pom.xml)

Resolved

is caused by

CASSANDRA-15828 Remove jackson-mapper-asl-1.9.13 to address CVE

Resolved

is related to

CASSANDRA-15867 Update Jackson version to 2.9.10.1 because there are security issues in 2.9.5

Resolved

Activity

People

Assignee:: Stefan Miklosovic

Reporter:: Mark Denihan

Authors:: Stefan Miklosovic

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 18/Aug/20 08:29

Updated:: 17/Feb/22 08:06

Resolved:: 27/Sep/21 08:18