Upgrade jackson-databind to 2.9.x for vulnerability issue
Iker-Jimenez opened this issue ยท 10 comments
jackson-databind prior to 2.9.1 have a serious remote execution bug. See FasterXML/jackson-databind#1723
We are using jongo in production and will be forced to remove it if we don't get a patched version of it soon. Is there an ETA for a new release of jongo with a newer version of jackson-databind?
That ticket shows that the patch was rolled out to the 2.8.x, 2.7.x, and 2.6.x lines of development. I am running Jongo with the 2.8.x line. You should just be able to update your Jackson dependency.
@ctrimble is right.
I have just tested release 1.3.0 against Jackson v2.8.10 (+bson4jackson v2.7.0) and all tests pass.
According to this issue FasterXML/jackson-databind#1737, v2.8.10 contains the most recent blacklist
True. But irrespective of whether upgrading to 2.9.x is necessary, Jongo does prevent doing so, it seems:
com.fasterxml.jackson.databind.introspect.AnnotatedMember.fixAccess()V
at org.jongo.marshall.jackson.JacksonObjectIdUpdater.mustGenerateObjectId(JacksonObjectIdUpdater.java:48)
at org.jongo.Insert.preparePojo(Insert.java:72)
at org.jongo.Insert.save(Insert.java:47)
at org.jongo.MongoCollection.save(MongoCollection.java:128)
...
I haven't checked myself whether it'd be hard to fix this in a backwards-compatible manner; just to point out that this ticket has merit.
@Stephan202 I agree that 2.9.x support needs to be added at some point, but this ticket should stay focused on providing an immediate way to resolve this vulnerability. A different ticket should be opened about supporting 2.9.x.
Actually, I forgot that my very own colleague @philleonard fixed that issue in PR #312. Maybe we can have a release with that? :D.
thanks @Stephan202 @ctrimble and @bguerout for the super quick response. You are right, we can use 2.8.10 to close the security issue.
We also tried building Jongo from master with the 2.9.2 version as @Stephan202 did and hit that same issue with "fixAccess"
There is definitely some work involved in migrating to jackson-databind 2.9.x, looks like the API has had some methods you guys are using removed.
Thanks again for being so helpful.
closing this as we can specify the newest jackson-databind in our project to fix the problem. I think you should consider releasing a 1.3.1 with a patched version of jackson-databind anyway to help secure projects using your library.
Hi, why there is no 1.3.1 release yet? We updated to Jackson 2.9.2 and we are not able to use Jongo anymore. I know there is a version 1.4 pending but no release in the Maven repository. Can you provide a workaround? Thanks by advance.
Hello you can find the release plan in milestone section of the project https://github.com/bguerout/jongo/milestones.
To sump up,
- 1.3.1: Jackson fixAcces(true) and Jackson update to 2.7.9
- 1.4.0: Jackson and bson4jackson updated to 2.9.x
- 1.5.0: New API to deal with mongo java driver API v3
Hello 1.3.1 and 1.4.0 have been released.
1.3.1: Jackson fixAcces(true) and Jackson update to 2.7.9
1.4.0: Jackson and bson4jackson updated to 2.9.x and enhancement of Jongo classes extensibility
You can find more informations here: https://github.com/bguerout/jongo/releases