Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
None
-
None
Description
The CVE vulnerabilities CVE-2019-12086, CVE-2019-12384, CVE-2019-12814
have been reported against jackson-core and jackson-databind versions 2.9.8.
The Apache Qpid Broker-J product itself is NOT AFFECTED by these vulnerabilities because Broker-J code never enables Jackson's
polymorphic deserialisation feature, specifically it never makes calls to ObjectMapper#enableDefaultTyping(...) nor does it use TypeResolverBuilders or annotations that enable the feature.
Even though it is believed the vulnerability cannot be exploited, this Jira will upgrade the dependencies of Broker-J to versions of the jakson-core and jackson-databind that are not vulnerable to reported CVEs:
- jakson-core 2.9.9
- jackson-databind 2.9.9.1