Vulnerability found in org.codehaus.jackson:jackson-mapper-asl

Question

Vulnerability found in org.codehaus.jackson:jackson-mapper-asl

schubon opened this issue 5 years ago · 2 comments

Details

CVE-2019-10172

moderate severity
Vulnerable versions: <= 1.9.13
Patched version: No fix

A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar to CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.

Remediation

No patched version is available.

Answer 1 · 2020-02-05T08:51:12.000Z

The latest version of jackson-core-asl and ackson-mapper-asl libraries are 1.9.13 and they are from 2013.
There has been no further releases since then.

Hadoop and HBase uses these libraries also in the newest released version 3.1 from Nov. 2019.

/usr/hdp/3.1.0.0-78/hbase/lib/jackson-core-asl-1.9.13.jar
/usr/hdp/3.1.0.0-78/hbase/lib/jackson-mapper-asl-1.9.13.jar
/usr/hdp/3.1.0.0-78/hadoop/lib/jackson-core-asl-1.9.13.jar
/usr/hdp/3.1.0.0-78/hadoop/lib/jackson-mapper-asl-1.9.13.jar

Answer 2 · 2020-04-02T14:59:42.000Z

Correction delivered in streamsx.hbase version 3.8.2
https://github.com/IBMStreams/streamsx.hbase/releases/tag/v3.8.2