[FOLIO-1685] Backend modules using RMB should update to fix jackson-databind security vulnerability Created: 07/Jan/19  Updated: 03/Jun/20  Resolved: 14/Mar/19

Status: Closed
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Umbrella Priority: P3
Reporter: Julian Ladisch Assignee: Unassigned
Resolution: Done Votes: 0
Labels: core, platform-backlog, security, sprint54
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Blocks
blocks FOLIO-1682 Security vulnerability reported in ja... Closed
is blocked by RMB-315 Fix security vulnerabilities in jacks... Closed
Sprint:
Development Team: Core: Platform

 Description   

RMB has updated jackson-databind to version 2.9.8 fixing these security vulnerabitities:

RMB >= 23.3.1 and RMB 23.2.x >= 23.2.2 has the fix.

Any module that uses RMB can update to a fixed RMB version (preferred) or manually update jackson-databind to 2.9.8.

This is the list of 2018-Q4 backend modules, at the beginning of the line is the RMB version it uses. ------ indicates that it does not use RMB.

Core Modules 2018-Q4
RMB ------ mod-authtoken 2.0.3
RMB 23.1.0 mod-circulation 14.1.0
RMB 23.1.0 mod-circulation-storage 6.2.0
RMB 23.2.1 mod-codex-inventory 1.4.0
RMB 23.2.1 mod-codex-mux 2.3.0
RMB 21.0.3 mod-configuration 5.0.1
RMB 23.0.0 mod-feesfines 15.1.0
RMB ------ mod-inventory 11.0.0
RMB 23.1.0 mod-inventory-storage 14.0.0
RMB 23.0.0 mod-login 4.6.0
RMB 23.2.1 mod-notes 2.2.0
RMB 23.3.0 mod-notify 2.1.0
RMB 21.0.4 mod-permissions 5.4.0
RMB 23.2.1 mod-tags 0.2.0
RMB 21.0.4 mod-template-engine 1.0.1
RMB 23.0.0 mod-users 15.3.0
RMB 23.2.1 mod-users-bl 4.3.2

External Modules 2018-Q4
RMB ------ mod-agreements 1.0.2
RMB 23.2.1 mod-audit 0.0.3
RMB ------ mod-audit-filter 0.0.4
RMB 23.2.1 mod-calendar 1.2.0 (jackson-databind 2.8.11.1)
RMB 19.0.0 mod-marccat 1.2.0
RMB 21.0.4 mod-codex-ekb 1.1.0
RMB ?????? mod-credits not on https://github.com/folio-org
RMB 23.0.0 mod-data-import 1.0.0
RMB 21.0.3 mod-email 1.0.0
RMB 23.1.0 mod-erm-usage 1.0.0
RMB 23.1.0 mod-erm-usage-harvester 1.0.0
RMB 23.0.0 mod-event-config 1.0.0
RMB 19.0.0 mod-finance-storage 1.0.1
RMB 19.1.5 mod-gobi 1.0.1
RMB ------ mod-kb-ebsco 1.1.0
RMB 23.2.0 mod-kb-ebsco-java no versioning
RMB ------ mod-licenses 1.0.2
RMB 15.0.2 mod-login-saml 1.2.1 (jackson.version 2.9.7)
RMB 23.1.0 mod-oai-pmh 1.0.1
RMB 23.2.1 mod-orders 1.0.2
RMB 23.1.0 mod-orders-storage 1.0.2
RMB 19.1.3 mod-patron 1.2.0
RMB 19.1.3 mod-rtac 1.2.1
RMB 21.0.4 mod-sender 1.0.0
RMB 21.0.3 mod-source-record-manager 0.1.0
RMB 23.0.0 mod-source-record-storage 1.0.0
RMB 17.0.0 mod-user-import 3.1.0
RMB 19.0.0 mod-vendors 1.0.3



 Comments   
Comment by Peter Murray [ 07/Jan/19 ]

Is the intent to update the modules using 2.8.x of jackson-databind to 2.9.x? If so, you may also want to link in FOLIO-1683 Closed .

Comment by Julian Ladisch [ 08/Jan/19 ]

No, this issue is not for 2.8.x. RMB never used 2.8.x.

RMB before v19.1.0 shipped jackson-databind 2.2.2.
RMB since v19.1.0 ships jackson-databind 2.9.x.
https://github.com/folio-org/raml-module-builder/pull/183/commits/22995fa64c16c799e57a80d228306b644dbfc577

Modules with RMB >= 19.1.0 that have jackson-databind 2.8.x in their <dependency> section automatically get the 2.9.x version shipped with that RMB version.
Modules with RMB < 19.1.0 that have jackson-databind 2.8.x in their <dependency> section use the 2.8.x version.

However, any module can explicitly override the version by using the <dependencyManagement><dependencies> section; this allows to use a smaller version than shipped by RMB or other dependencies. Example: https://github.com/folio-org/mod-calendar/blob/v1.2.0/pom.xml#L123-L127

Comment by Peter Murray [ 08/Jan/19 ]

Okay, thanks for the explanation. I appreciate knowing the details.

Comment by Peter Murray [ 19/Feb/19 ]

Julian Ladisch I'm not sure how you generated the list in this issue's description, but can you do it again? The only `jackson-databind` issue remaining that I'm aware of is MODLOGSAML-39 Closed , and I want to confirm that is true.

Comment by Julian Ladisch [ 14/Mar/19 ]

Peter Murray I can redo the analysis on the folio-snapshot modules.

Comment by Peter Murray [ 14/Mar/19 ]

Julian Ladisch: Actually, I think this can be closed. GitHub is no longer reporting jackson-databind as a security issue. If you can confirm and close, that would be great.

Comment by Julian Ladisch [ 14/Mar/19 ]

I cannot confirm without checking the modules.
If you want me to redo the check (similar to the one I did before) the core-platform scrum master/product owner needs to assign this jira to me for some sprint so that I can spend some time on it.

Comment by Peter Murray [ 14/Mar/19 ]

Ah, okay. I'm relatively confident that GitHub has found all of jackson-databind vulnerabilities. There are other things I'm seeing with the snyk.io tool that I'm testing, but this isn't one of them. Closing.

Generated at Thu Feb 08 23:15:09 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.