zookeeper-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Enrico Olivelli (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (ZOOKEEPER-3441) OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814
Date Sun, 23 Jun 2019 20:29:00 GMT

     [ https://issues.apache.org/jira/browse/ZOOKEEPER-3441?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Enrico Olivelli updated ZOOKEEPER-3441:
---------------------------------------
    Description: 
OWASP dependency checker is flagging jackson-databind-2.9.9.jar for CVE-2019-12814 (https://nvd.nist.gov/vuln/detail/CVE-2019-12814)

We should upgrade the library but we are currently using the latest and greatest 2.9.9.


{noformat}
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9.
When Default Typing is enabled (either globally or for a specific property) for an externally
exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker
can send a specifically crafted JSON message that allows them to read arbitrary local files
on the server.
{noformat}

We don't have jdom on the classpath, so we are not affected directly by this change, but users
that are using ZooKeeper Server in a custom environment should take note of this issue

this is the issue on Jackson: https://github.com/FasterXML/jackson-databind/issues/2341






  was:
OWASP dependency checker is flagging jackson-databind-2.9.9.jar for CVE-2019-12814
We should upgrade the library or add a suppression.


> OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814
> ---------------------------------------------------------------
>
>                 Key: ZOOKEEPER-3441
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3441
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: build, security
>    Affects Versions: 3.6.0
>            Reporter: Enrico Olivelli
>            Assignee: Enrico Olivelli
>            Priority: Critical
>             Fix For: 3.6.0
>
>
> OWASP dependency checker is flagging jackson-databind-2.9.9.jar for CVE-2019-12814 (https://nvd.nist.gov/vuln/detail/CVE-2019-12814)

> We should upgrade the library but we are currently using the latest and greatest 2.9.9.
> {noformat}
> A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9.
When Default Typing is enabled (either globally or for a specific property) for an externally
exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker
can send a specifically crafted JSON message that allows them to read arbitrary local files
on the server.
> {noformat}
> We don't have jdom on the classpath, so we are not affected directly by this change,
but users that are using ZooKeeper Server in a custom environment should take note of this
issue
> this is the issue on Jackson: https://github.com/FasterXML/jackson-databind/issues/2341



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message