Vulnerability found in org.codehaus.jackson:jackson-mapper-asl
schubon opened this issue · 2 comments
Details
CVE-2019-10172
moderate severity
Vulnerable versions: <= 1.9.13
Patched version: No fix
A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar to CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.
Remediation
No patched version is available.
The latest version of jackson-core-asl and ackson-mapper-asl libraries are 1.9.13 and they are from 2013.
There has been no further releases since then.
Hadoop and HBase uses these libraries also in the newest released version 3.1 from Nov. 2019.
/usr/hdp/3.1.0.0-78/hbase/lib/jackson-core-asl-1.9.13.jar
/usr/hdp/3.1.0.0-78/hbase/lib/jackson-mapper-asl-1.9.13.jar
/usr/hdp/3.1.0.0-78/hadoop/lib/jackson-core-asl-1.9.13.jar
/usr/hdp/3.1.0.0-78/hadoop/lib/jackson-mapper-asl-1.9.13.jar
Correction delivered in streamsx.hbase version 3.8.2
https://github.com/IBMStreams/streamsx.hbase/releases/tag/v3.8.2