[FOLIO-2205] Track security vulnerability fixes reported in jackson-databind >= 2.0.0, < 2.9.9.2 Created: 02/Aug/19  Updated: 03/Jun/20  Resolved: 27/Jan/20

Status: Closed
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Umbrella Priority: TBD
Reporter: Peter Murray Assignee: Unassigned
Resolution: Done Votes: 0
Labels: security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Blocks
is blocked by MODCXMUX-54 Fix security vulnerabilities reported... Closed
is blocked by MODDICONV-75 Fix security vulnerabilities reported... Closed
is blocked by MODKBEKBJ-297 Fix security vulnerabilities reported... Closed
is blocked by MODCAL-47 Fix security vulnerabilities reported... Closed
is blocked by MODEMAIL-22 Fix security vulnerabilities reported... Closed
is blocked by MODEUS-40 Fix security vulnerabilities reported... Closed
is blocked by MODEVENTC-11 Fix security vulnerabilities reported... Closed
is blocked by MODLOGSAML-47 Fix security vulnerabilities reported... Closed
is blocked by MODPWD-22 Fix security vulnerabilities reported... Closed
is blocked by MODTEMPENG-22 Fix security vulnerabilities reported... Closed
is blocked by RMB-442 Fix security vulnerabilities reported... Closed
Sprint:

 Description   

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.9.2 or later. For example:

<dependency>
 <groupId>com.fasterxml.jackson.core</groupId>
 <artifactId>jackson-databind</artifactId>
 <version>[2.9.9.2,)</version>
</dependency>

Always verify the validity and compatibility of suggestions with your codebase.

Details

CVE-2019-14379

moderate severity
*Vulnerable versions:* < 2.9.9.2
*Patched version:* 2.9.9.2

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used, leading to remote code execution.

CVE-2019-14439

moderate severity
*Vulnerable versions:* < 2.9.9.2
*Patched version:* 2.9.9.2

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.



 Comments   
Comment by Peter Murray [ 27/Jan/20 ]

Blocking issues are closed.

Generated at Thu Feb 08 23:18:59 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.