Description
These 2 libraries are deprecated and replaced by the jackson-databind libraries which are already included. These two libraries are flagged by our vulnerability scanners as having the following security vulnerabilities. I've set the priority to Major due to the Critical nature and hopefully they can be addressed quickly. Please note, I'm not a developer but work in InfoSec and this was flagged when we incorporated spark into our product. If you feel the priority is not set correctly please change accordingly. I'll watch the issue and flag our dev team to update once resolved.
jackson-mapper-asl-1.9.13
CVE-2018-7489 (CVSS 3.0 Score 9.8 CRITICAL)
https://nvd.nist.gov/vuln/detail/CVE-2018-7489
CVE-2017-7525 (CVSS 3.0 Score 9.8 CRITICAL)
https://nvd.nist.gov/vuln/detail/CVE-2017-7525
CVE-2017-17485 (CVSS 3.0 Score 9.8 CRITICAL)
https://nvd.nist.gov/vuln/detail/CVE-2017-17485
CVE-2017-15095 (CVSS 3.0 Score 9.8 CRITICAL)
https://nvd.nist.gov/vuln/detail/CVE-2017-15095
CVE-2018-5968 (CVSS 3.0 Score 8.1 High)
https://nvd.nist.gov/vuln/detail/CVE-2018-5968
jackson-core-asl-1.9.13
CVE-2016-7051 (CVSS 3.0 Score 8.6 High)
Attachments
Issue Links
- is duplicated by
-
SPARK-40457 upgrade jackson data mapper to latest
-
- Open
-
- relates to
-
HADOOP-13706 Update jackson from 1.9.13 to 2.x in hadoop-common-project
-
- Resolved
-
-
-
- Open
-
-
-
- Resolved
-
-
HIVE-18433 Upgrade version of com.fasterxml.jackson
-
- Closed
-