[QPID-8136] [Broker-J] Upgrade Jackson dependencies - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: qpid-java-6.1.6, qpid-java-broker-7.0.3, qpid-java-broker-7.1.0
Component/s: Broker-J
Labels:
None

Description

CVE-2017-7525 was recently published against the Jackson-databind component. Broker-J uses the library for the purposes of the persistence of configuration and the interpreting of payloads of some network requests.

Whilst Apache Qpid Broker-J distributions include a version of jackson-databind that is affected by the vulnerability, it is believed
that Apache Qpid Broker-J product itself is NOT AFFECTED by this vulnerability. This is because Broker-J code never enables Jackson's
polymorphic deserialisation features: specifically it never makes calls to ObjectMapper#enableDefaultTyping(...) nor does it use
TypeResolverBuilders or annotations that enable the feature.

Even though it is believed the vulnerability cannot be exploited, this Jira will upgrade the dependencies of Broker-J to versions of the Jackson-databind that are not vulnerable to this issue:

For:

master (upgrade from 2.8.7 to 2.9.4)
7.0.x (upgrade from 2.8.7 to 2.8.11)
6.1.x (upgrade from 2.5.3 to 2.8.11)

There is no release planned for 6.0.x. Users are recommended to move to the 7.0 line.

Also see:

http://mail-archives.apache.org/mod_mbox/qpid-users/201803.mbox/%3cCAFEMS4tdrS_=st85J+-XQFm8nc3AvX4x0ay10jQmpynmDLY9dw@mail.gmail.com%3e

Attachments

Issue Links

is related to

QPID-8159 [Broker-J] Upgrade Jackson from 2.9.4 to 2.9.5 (CVE-2018-7489)

Resolved

Activity

People

Assignee:: Keith Wall

Reporter:: Keith Wall

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 19/Mar/18 09:31

Updated:: 02/Oct/19 19:21

Resolved:: 20/Mar/18 13:45