-
Notifications
You must be signed in to change notification settings - Fork 24.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update Jackson version to 2.8.11.2 #30352
Comments
We are not exposed to this vulnerability. |
Pinging @elastic/es-core-infra |
Updated title to update Jackson version to 2.8.11.2 in order to cover 3 additional CVE: See: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.8 I fully understand that elasticsearch may not be exposed to these vulnerabilities. However, it does make life easier when examining dependencies using 3rd party scanners |
We are not exposed to these vulnerabilities.
I understand. |
Elasticsearch version (
bin/elasticsearch --version
):7.0.0-alpha1
6.2.4
6.1.4
Plugins installed:
N/A
JVM version (
java -version
):N/A
OS version (
uname -a
if on a Unix-like system):N/A
Description of the problem including expected versus actual behavior:
Update jackson version from 2.8.10 to 2.8.11 to address CVE-2018-7489, a deserialization flaw with CVSS v3.0 Base Score of 9.8 (critical)
Update to 2.8.10 was done via PR #27230 - merged prior to publication of CVE-2018-7489. Whilst the CVE fix is also available in Jackson v2.9.5, the PR explains that Jackson v2.8.11 is currently the only option...
The text was updated successfully, but these errors were encountered: