Uploaded image for project: 'Qpid'
  1. Qpid
  2. QPID-8279

[Broker-J] Upgrade Jackson dependencies

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: qpid-java-broker-7.0.3, qpid-java-broker-7.0.2, qpid-java-broker-7.0.0, qpid-java-broker-7.0.1, qpid-java-broker-7.1.0, qpid-java-broker-7.0.4, qpid-java-broker-7.0.5, qpid-java-broker-7.0.6
    • Component/s: Broker-J
    • Labels:
      None

      Description

      The CVE vulnerabilities 14718, CVE-2018-14719, CVE-2018-14720, CVE-2018-14721 have been reported against jackson-databind library 2.x versions below 2.9.7.

      Whilst Apache Qpid Broker-J distributions include a version of jackson-databind that is affected by the vulnerability, it is believed that Apache Qpid Broker-J product itself is NOT AFFECTED by this vulnerability. This is because Broker-J code never enables Jackson's
      polymorphic deserialisation features: specifically it never makes calls to ObjectMapper#enableDefaultTyping(...) nor does it use TypeResolverBuilders or annotations that enable the feature.

      Though Apache Qpid Broker-J is not affected by the vulnerabilities, this JIRA will upgrade the dependencies of Broker-J to versions of the jackson-databind dependencies that are not vulnerable:

      • master (upgrade from 2.9.5 to 2.9.8)
      • 7.1.x (upgrade from 2.9.5 to 2.9.8)
      • 7.0.x (upgrade from 2.8.11.1 to 2.8.11.3)

      Please note that no upgrade of jackson-databind dependencies will be done for 6.0.x and 6.1.x versions. The 6.0.x and 6.1.x brokers can be upgraded to 7.1.x.

        Attachments

          Activity

            People

            • Assignee:
              orudyy Alex Rudyy
              Reporter:
              orudyy Alex Rudyy
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: