[QPID-8329] [Broker-J] Upgrade jackson dependencies to version 2.9.9 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: None
Component/s: Broker-J
Labels:
None

Description

The CVE vulnerabilities CVE-2019-12086, CVE-2019-12384, CVE-2019-12814
have been reported against jackson-core and jackson-databind versions 2.9.8.

The Apache Qpid Broker-J product itself is NOT AFFECTED by these vulnerabilities because Broker-J code never enables Jackson's
polymorphic deserialisation feature, specifically it never makes calls to ObjectMapper#enableDefaultTyping(...) nor does it use TypeResolverBuilders or annotations that enable the feature.

Even though it is believed the vulnerability cannot be exploited, this Jira will upgrade the dependencies of Broker-J to versions of the jakson-core and jackson-databind that are not vulnerable to reported CVEs:

jakson-core 2.9.9
jackson-databind 2.9.9.1

Attachments

Activity

People

Assignee:: Alex Rudyy

Reporter:: Alex Rudyy

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 03/Jul/19 10:49

Updated:: 13/Dec/19 11:59

Resolved:: 13/Dec/19 11:59