Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-13112

Upgrade jackson to 2.9.8

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 7.6
    • Fix Version/s: 7.7.2, 8.1, master (9.0)
    • Component/s: None
    • Labels:
      None
    • Environment:

      RedHat Linux.    May run from RHEL versions 5, 6 or 7 but this issue is from Sonatype component scan and should be independent of Linux platform version.

      Description

      We can't move to Solr 7 without fixing this issue flagged by Sonatype scan Of Solr - 7.6.0 Build,
      Using Scanner 1.56.0-01

      Threat Level 8       Against Solr v7.6.  com.fasterxml.jackson.core : jackson-databind : 2.9.6
      FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.

      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14718

        Attachments

        1. SOLR-13112.patch
          5 kB
          Kevin Risden

          Issue Links

            Activity

              People

              • Assignee:
                krisden Kevin Risden
                Reporter:
                rjh RobertHathaway
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 20m
                  20m