Jackson Databind Vulnerabilities (2019)
Opened this issue · 1 comments
Looks like a few more Jackson Databind vulnerabilities released recently, bringing the total found in the versions distributed with Logstash input beats v6.0.0, some are more serious deserialization bugs ( CVE-2019-14379 / FasterXML/jackson-databind#2387 ).
I see others have raised an issue for log4j updates as well (similar vulns reported, though maybe less reachable/exploitable).
I have to imagine many users who run 3rd party dependency vulnerability scans are flagging now on logstash-input-beats plugin due to the libraries it includes. Are there any plans to update this plugins dependencies? I'd be happy to try if there are some instructions on getting going. From the looks of it, a naive approach might simply be to update the build.gradle dependency definitions from 2.9.7 to 2.9.9.2 and see if it passes the tests?