Critical security vulnerability for /opt/ignite/apache-ignite/libs/optional/ignite-rest-http/jackson-databind-2.9.6.jar

classic Classic list List threaded Threaded
3 messages Options
Andrew Story Andrew Story
Reply | Threaded
Open this post in threaded view
|

Critical security vulnerability for /opt/ignite/apache-ignite/libs/optional/ignite-rest-http/jackson-databind-2.9.6.jar

Would it be possible in the next release of Ignite to upgrade the 3rd party
component
/opt/ignite/apache-ignite/libs/optional/ignite-rest-http/jackson-databind-2.9.6.jar
to jackson-databind-2.11.2.jar or greater?
This .jar is also present in
/opt/ignite/apache-ignite/libs/optional/ignite-kubernetes/ and may be in
other optional folders as well.

This component jackson-databind-2.9.6.jar is flagged as having numerous
critical, high and medium security vulnerabilities, one of which is
described here:
https://nvd.nist.gov/vuln/detail/CVE-2019-14540

I can provide a more complete list of vulnerabilities if that helps.

The latest version of this component appears to be 2.11.2 which should
resolve these vulnerabilities:
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.11.2 

Note if there is a better way to provide this information/request please let
me know.

Thanks,

Andrew Story



--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/
ilya.kasnacheev ilya.kasnacheev
Reply | Threaded
Open this post in threaded view
|

Re: Critical security vulnerability for /opt/ignite/apache-ignite/libs/optional/ignite-rest-http/jackson-databind-2.9.6.jar

Hello!

Please file an issue against Apache Ignite JIRA: https://issues.apache.org/jira/browse/IGNITE

Regards,
--
Ilya Kasnacheev


сб, 19 сент. 2020 г. в 02:22, Andrew Story <[hidden email]>:
Would it be possible in the next release of Ignite to upgrade the 3rd party
component
/opt/ignite/apache-ignite/libs/optional/ignite-rest-http/jackson-databind-2.9.6.jar
to jackson-databind-2.11.2.jar or greater?
This .jar is also present in
/opt/ignite/apache-ignite/libs/optional/ignite-kubernetes/ and may be in
other optional folders as well.

This component jackson-databind-2.9.6.jar is flagged as having numerous
critical, high and medium security vulnerabilities, one of which is
described here:
https://nvd.nist.gov/vuln/detail/CVE-2019-14540

I can provide a more complete list of vulnerabilities if that helps.

The latest version of this component appears to be 2.11.2 which should
resolve these vulnerabilities:
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.11.2

Note if there is a better way to provide this information/request please let
me know.

Thanks,

Andrew Story



--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/
Andrew Story Andrew Story
Reply | Threaded
Open this post in threaded view
|

Re: Critical security vulnerability for /opt/ignite/apache-ignite/libs/optional/ignite-rest-http/jackson-databind-2.9.6.jar