CVE-2017-7525 was recently published against the Jackson-databind component. Broker-J uses the library for the purposes of the persistence of configuration and the interpreting of payloads of some network requests.
Whilst Apache Qpid Broker-J distributions include a version of jackson-databind that is affected by the vulnerability, it is believed
that Apache Qpid Broker-J product itself is NOT AFFECTED by this vulnerability. This is because Broker-J code never enables Jackson's
polymorphic deserialisation features: specifically it never makes calls to ObjectMapper#enableDefaultTyping(...) nor does it use
TypeResolverBuilders or annotations that enable the feature.
Even though it is believed the vulnerability cannot be exploited, this Jira will upgrade the dependencies of Broker-J to versions of the Jackson-databind that are not vulnerable to this issue:
- master (upgrade from 2.8.7 to 2.9.4)
- 7.0.x (upgrade from 2.8.7 to 2.8.11)
- 6.1.x (upgrade from 2.5.3 to 2.8.11)
There is no release planned for 6.0.x. Users are recommended to move to the 7.0 line.