Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-13112

Upgrade jackson to 2.9.8

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 7.6
    • 7.7.2, 8.1, 9.0
    • None
    • None
    • RedHat Linux.    May run from RHEL versions 5, 6 or 7 but this issue is from Sonatype component scan and should be independent of Linux platform version.

    Description

      We can't move to Solr 7 without fixing this issue flagged by Sonatype scan Of Solr - 7.6.0 Build,
      Using Scanner 1.56.0-01

      Threat Level 8       Against Solr v7.6.  com.fasterxml.jackson.core : jackson-databind : 2.9.6
      FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.

      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14718

      Attachments

        1. SOLR-13112.patch
          5 kB
          Kevin Risden

        Issue Links

          Activity

            People

              krisden Kevin Risden
              rjh RobertHathaway
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 20m
                  20m