Any reason that jackson-mapper-asl can't be removed from spring-security-oauth2, see:
<dependency>
<groupId>org.codehaus.jackson</groupId>
<artifactId>jackson-mapper-asl</artifactId>
<version>${jackson1.version}</version>
</dependency>
As a note, the Maven repository page details that this component is now jackson-databind: https://mvnrepository.com/artifact/org.codehaus.jackson/jackson-mapper-asl.
Even if it can't be removed, updating this to the new group/artifact ID would allow Maven/Gradle dependency resolution to handle conflicting version dependencies in a more consistent way
Also wondering if there's still need for such an old version of Jackson?
This issue bit me today. If you use the Jackson 2 combined with spring-security-oauth2, the org.codehaus... annotations are ignored, only the com.fasterxml... work.
Easy mistake to make if your IDE is doing imports automatically.
Can this be resolved by removing the old dependency in favour of the new one?
Any news on this?
Given security issues related to jackson-mapper-asl, can we move this up on the priority list while we wait on a complete Oauth2 implementation in Spring 5?
Vulnerabilities in jackson-mapper-asl-1.9.13.jar:
HIGH - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-15095
HIGH - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-17485
HIGH - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7525
HIGH - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-11307
HIGH - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7489
MEDIUM - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5968
@joshlandin are you sure? All indications are that they're all for jackson-databind, not jackson-mapper-asl.
@joshlandin We'll be removing Jackson 1 in the 2.4.0 release, which is scheduled for Nov 7.
can we remove this from 2.0.x as this library has critical CVE vulnerabilities in the first place
@davydotcom 2.0.x is no longer supported. The currently supported branches are 2.3.x and 2.4.x (2.4.0 releases this Thur Nov 14).
Considering its a critical CVE I think it should be handled. We are in the midst of updating to latest spring framework as well. Also the PR is a clean cherry-pick and does work
On Nov 11, 2019, at 4:25 PM, Joe Grandja notifications@github.com wrote:
@davydotcom https://github.com/davydotcom 2.0.x is no longer supported. The currently supported branches are 2.3.x and 2.4.x (2.4.0 releases this Thur Nov 14).
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub https://github.com/spring-projects/spring-security-oauth/issues/996?email_source=notifications&email_token=AAAFUEWZEX6EMIJFJJK6F2LQTHEULA5CNFSM4DB4ZLWKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEDYFWRA#issuecomment-552622916, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAFUEQZ4W62PBNX3QJJI7LQTHEULANCNFSM4DB4ZLWA.
@davydotcom which CVE? As I said above, I believe there are a bunch incorrectly marked for jackson-mapper-asl that are actually only in jackson-databind. Would need confirmation from jackson developers to be completely sure.
@OrangeDog Why shouldn't these CVEs apply to jackson-mapper-asl? It's the predecessor of jackson-databind and in general, was vulnerable to "polymorphic deserialisation attacks" like databind is today.
It appears I was mistaken. I thought there was a more significant rewrite, or that jackson-mapper-asl had had separate fixes.
jackson-core-asl-1.9.13.jar
jackson-mapper-asl-1.9.13.jar
CVE-2019-10202
The CVE references the following other CVEs
CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086
@davydotcom Please review our support policy. Minor versions are supported a minimum of 12 months. FYI, 2.0.0 was released back in May 2014 so well past the support period.
Furthermore, the removal of a dependency could not be applied in a patch. Hence, the reason it was done in the 2.4.0 release (coming this Thur Nov 14). You will need to upgrade to 2.4.0 if you need to avoid the Jackson 1 dependency.
Seems odd considering 2.0.19 was released as recently as 26 days ago. This wasnt back in 2014 last I checked. It makes sense if you are still updating as recently as that to close a Critical SCORE CVE. Especially considering this is a SECURITY library.
@davydotcom The only reason the 2.0.x branch has been supported for this long is because Spring Boot 1.5.x depended on it. Now that Spring Boot 1.5.x has reached EOL so has the 2.0.x branch along with 2.1.x and 2.2.x.
And the main reason we are releasing 2.4.0 is to deprecate all classes as this project will be discontinued in the near future. We will be announcing this in the release blog on Thursday. The new OAuth 2.0 support lives in Spring Security 5 in case you are not aware. See the original announcement.
Most helpful comment
Given security issues related to jackson-mapper-asl, can we move this up on the priority list while we wait on a complete Oauth2 implementation in Spring 5?
Vulnerabilities in jackson-mapper-asl-1.9.13.jar:
HIGH - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-15095
HIGH - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-17485
HIGH - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7525
HIGH - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-11307
HIGH - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7489
MEDIUM - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5968