Uploaded image for project: 'Qpid'
  1. Qpid
  2. QPID-8136

[Broker-J] Upgrade Jackson dependencies

    XMLWordPrintableJSON

    Details

      Description

      CVE-2017-7525 was recently published against the Jackson-databind component.    Broker-J uses the library for the purposes of the persistence of configuration and the interpreting of payloads of some network requests.   

      Whilst Apache Qpid Broker-J distributions include a version of jackson-databind that is affected by the vulnerability, it is believed
      that Apache Qpid Broker-J product itself is NOT AFFECTED by this vulnerability.  This is because Broker-J code never enables Jackson's
      polymorphic deserialisation features: specifically it never makes calls to ObjectMapper#enableDefaultTyping(...) nor does it use
      TypeResolverBuilders or annotations that enable the feature.

      Even though it is believed the vulnerability cannot be exploited, this Jira will upgrade the dependencies of Broker-J to versions of the Jackson-databind that are not vulnerable to this issue:

      For:

      • master (upgrade from 2.8.7 to 2.9.4)
      • 7.0.x (upgrade from  2.8.7 to 2.8.11)
      • 6.1.x (upgrade from 2.5.3 to 2.8.11)

      There is no release planned for 6.0.x.  Users are recommended to move to the 7.0 line.

      Also see:

      http://mail-archives.apache.org/mod_mbox/qpid-users/201803.mbox/%3cCAFEMS4tdrS_=st85J+-XQFm8nc3AvX4x0ay10jQmpynmDLY9dw@mail.gmail.com%3e

       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                k-wall Keith Wall
                Reporter:
                k-wall Keith Wall
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: