Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Jackson version to 2.8.11.2 #30352

Closed
msymons opened this issue May 2, 2018 · 4 comments · Fixed by #32670
Closed

Update Jackson version to 2.8.11.2 #30352

msymons opened this issue May 2, 2018 · 4 comments · Fixed by #32670
Assignees
Labels
:Core/Infra/Core Core issues without another label >upgrade

Comments

@msymons
Copy link

msymons commented May 2, 2018

Elasticsearch version (bin/elasticsearch --version):
7.0.0-alpha1
6.2.4
6.1.4

Plugins installed:
N/A

JVM version (java -version):
N/A

OS version (uname -a if on a Unix-like system):
N/A

Description of the problem including expected versus actual behavior:

Update jackson version from 2.8.10 to 2.8.11 to address CVE-2018-7489, a deserialization flaw with CVSS v3.0 Base Score of 9.8 (critical)

Update to 2.8.10 was done via PR #27230 - merged prior to publication of CVE-2018-7489. Whilst the CVE fix is also available in Jackson v2.9.5, the PR explains that Jackson v2.8.11 is currently the only option...

While it's not possible to upgrade the Jackson dependencies to their latest versions yet (see #27032 (comment) for more) it's still possible to upgrade to the latest 2.8.x version.

@jasontedor
Copy link
Member

We are not exposed to this vulnerability.

@jasontedor jasontedor added the :Core/Infra/Core Core issues without another label label May 3, 2018
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-core-infra

@jasontedor jasontedor changed the title Update Jackson version to 2.8.11 to address CVE-2018-7489 Update Jackson version to 2.8.11 May 3, 2018
@msymons msymons changed the title Update Jackson version to 2.8.11 Update Jackson version to 2.8.11.2 Aug 6, 2018
@msymons
Copy link
Author

msymons commented Aug 6, 2018

Updated title to update Jackson version to 2.8.11.2 in order to cover 3 additional CVE:

See: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.8

I fully understand that elasticsearch may not be exposed to these vulnerabilities. However, it does make life easier when examining dependencies using 3rd party scanners

@jasontedor
Copy link
Member

We are not exposed to these vulnerabilities.

I fully understand that elasticsearch may not be exposed to these vulnerabilities. However, it does make life easier when examining dependencies using 3rd party scanners

I understand.

@original-brownbear original-brownbear self-assigned this Aug 7, 2018
original-brownbear added a commit to original-brownbear/elasticsearch that referenced this issue Aug 7, 2018
original-brownbear added a commit that referenced this issue Aug 8, 2018
original-brownbear added a commit to original-brownbear/elasticsearch that referenced this issue Aug 8, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
:Core/Infra/Core Core issues without another label >upgrade
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants