Affects Version/s: qpid-java-broker-7.0.3, qpid-java-broker-7.0.2, qpid-java-broker-7.0.0, qpid-java-broker-7.0.1, qpid-java-broker-7.1.0, qpid-java-broker-7.0.4, qpid-java-broker-7.0.5, qpid-java-broker-7.0.6
Whilst Apache Qpid Broker-J distributions include a version of jackson-databind that is affected by the vulnerability, it is believed that Apache Qpid Broker-J product itself is NOT AFFECTED by this vulnerability. This is because Broker-J code never enables Jackson's
polymorphic deserialisation features: specifically it never makes calls to ObjectMapper#enableDefaultTyping(...) nor does it use TypeResolverBuilders or annotations that enable the feature.
Though Apache Qpid Broker-J is not affected by the vulnerabilities, this JIRA will upgrade the dependencies of Broker-J to versions of the jackson-databind dependencies that are not vulnerable:
- master (upgrade from 2.9.5 to 2.9.8)
- 7.1.x (upgrade from 2.9.5 to 2.9.8)
- 7.0.x (upgrade from 22.214.171.124 to 126.96.36.199)
Please note that no upgrade of jackson-databind dependencies will be done for 6.0.x and 6.1.x versions. The 6.0.x and 6.1.x brokers can be upgraded to 7.1.x.