jackson-databind-2.13.1.jar contains vulnerability

Question

jackson-databind-2.13.1.jar contains vulnerability

MrRoubos opened this issue 3 years ago · 7 comments

Hi,

First of all thanks for this handy API !
My Jenkins / OWASP dependency check failed because of :
CVE-2020-36518
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

I 'fixed' it in my projects POM by excluding this lib and using the more recent lib by adding:

<properties>
	<jackson.version>2.13.2.1</jackson.version>
</properties>

	    <exclusions>
			<exclusion>
				<groupId>com.fasterxml.jackson.core</groupId>
				<artifactId>jackson-databind</artifactId>
			</exclusion>
	    </exclusions>

	<dependency>
		<groupId>com.fasterxml.jackson.core</groupId>
		<artifactId>jackson-databind</artifactId>
		<version>${jackson.version}</version>			
	</dependency>

Perhaps this lib also can be upgraded in the nextcloud-java-api.
Cheers, Jan

Answer 1 · 2022-04-01T10:02:40.000Z

Hello @MrRoubos,
thanks for reporting this.
There is already a 2.13.2.2 available.
I did now just release 12.0.1 with updated dependencies
André

Answer 2 · 2022-04-01T12:24:12.000Z

Hi @a-schild ,
Thanks for the quick respsonse/fix!
I upgraded the nextcloud-api lib to 12.0.1, but if I remove the jackson-databind exclusion, the old 2.13.1 is still being used. Caused by the jaxb-runtime.
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7,0':
[ERROR]
[ERROR] jackson-databind-2.13.1.jar: CVE-2020-36518

See part of the mvn dependency:tree output
[INFO] +- org.aarboard.nextcloud:nextcloud-api:jar:12.0.1:compile
[INFO] | +- org.apache.httpcomponents:httpcore:jar:4.4.15:compile
[INFO] | +- org.apache.httpcomponents:httpasyncclient:jar:4.1.5:compile
[INFO] | | - org.apache.httpcomponents:httpcore-nio:jar:4.4.15:compile
[INFO] | +- org.apache.httpcomponents:httpclient:jar:4.5.13:compile
[INFO] | | - commons-codec:commons-codec:jar:1.15:compile
[INFO] | +- com.github.lookfirst:sardine:jar:5.10:compile
[INFO] | +- commons-io:commons-io:jar:2.11.0:compile
[INFO] | +- org.apache.commons:commons-lang3:jar:3.12.0:compile
[INFO] | +- org.glassfish.jaxb:jaxb-runtime:jar:2.3.5:compile
[INFO] | | +- org.glassfish.jaxb:txw2:jar:2.3.5:compile
[INFO] | | +- com.sun.istack:istack-commons-runtime:jar:3.0.12:compile
[INFO] | | - com.sun.activation:jakarta.activation:jar:1.2.2:runtime
[INFO] | - com.fasterxml.jackson.core:jackson-databind:jar:2.13.1:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.1:compile
[INFO] | - com.fasterxml.jackson.core:jackson-core:jar:2.13.1:compile

So I have to add the exclusion for now again. No problem.

Cheers, Jan

Answer 3 · 2022-04-01T12:48:40.000Z

@MrRoubos can you please test with 12.0.2 release?
The dependency should now be ok

Answer 4 · 2022-04-01T13:29:49.000Z

I'm sorry, but it is still complaining about the jackson-databind 2.13.1

jackson-databind-2.13.1.jar (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1, cpe:2.3:a:fasterxml:jackson-databind:2.13.1:::::::, cpe:2.3:a:fasterxml:jackson-modules-java8:2.13.1:::::::) : CVE-2020-36518

See the dependency-check report for more details.

[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 01:53 min
[INFO] Finished at: 2022-04-01T15:27:24+02:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:6.5.1:check (default) on project ctrapplication:
[ERROR]
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7,0':
[ERROR]
[ERROR] jackson-databind-2.13.1.jar: CVE-2020-36518
[ERROR]
[ERROR] See the dependency-check report for more details.

[INFO] +- org.aarboard.nextcloud:nextcloud-api:jar:12.0.2:compile
[INFO] | +- org.apache.httpcomponents:httpcore:jar:4.4.15:compile
[INFO] | +- org.apache.httpcomponents:httpasyncclient:jar:4.1.5:compile
[INFO] | | - org.apache.httpcomponents:httpcore-nio:jar:4.4.15:compile
[INFO] | +- org.apache.httpcomponents:httpclient:jar:4.5.13:compile
[INFO] | | - commons-codec:commons-codec:jar:1.15:compile
[INFO] | +- com.github.lookfirst:sardine:jar:5.10:compile
[INFO] | +- commons-io:commons-io:jar:2.11.0:compile
[INFO] | +- org.apache.commons:commons-lang3:jar:3.12.0:compile
[INFO] | +- org.glassfish.jaxb:jaxb-runtime:jar:2.3.5:compile
[INFO] | | +- org.glassfish.jaxb:txw2:jar:2.3.5:compile
[INFO] | | +- com.sun.istack:istack-commons-runtime:jar:3.0.12:compile
[INFO] | | - com.sun.activation:jakarta.activation:jar:1.2.2:runtime
[INFO] | - com.fasterxml.jackson.core:jackson-databind:jar:2.13.1:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.1:compile
[INFO] | - com.fasterxml.jackson.core:jackson-core:jar:2.13.1:compile

Answer 5 · 2022-04-01T13:36:57.000Z

Something must be wrong on your project.

If you look at this, then it shows the com.fasterxml.jackson.core:jackson-databind 2.13.2.2 as dependency..

https://github.com/a-schild/nextcloud-java-api/network/dependencies

Answer 6 · 2022-04-01T13:50:55.000Z

Yes that looks fine, very interesting :) I removed the glassfish 2.3.5 from my repo, but it keeps pulling the 2.3.5 version.
I will dive into it. Thanks so far !

Answer 7 · 2022-04-02T14:36:54.000Z

Yes!!! at the end I succeeded :) After upgrading the spring-boot from 2.6.3 to 2.6.6 and running mvn versions:display-dependency-updates
So now my project again is up-to-date. The dependencies for me is sometimes a little hard.
Cheers, Jan