Critical CVE related to com.fasterxml.jackson.core:jackson-databind

[louptony]

Hello,

4 CVEs (CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, CVE-2018-14721) are brought up with the com.fasterxml.jackson.core:jackson-databind version 2.9.5 inlcuded in spring-cloud-cloudfoundry-connector. The corrections were fixed in version 2.9.8. The fix will be added in version 2.0.5 of spring-cloud-connectors.

Can the version be updated in a quick upcoming bug fix?

Thank you

[wilkinsona]

Spring Boot 2.1.x's dependency management already uses Jackson 2.9.8. It will override the version that Spring Cloud Connectors uses by default. In short, there's nothing for us to do here.

[pioto]

This issue impacts Spring Boot 1.5.x as well, though I don't know if there's any plan to fix it there.

Is it safe to simply update the jackson.version property to 2.9.8, or is there some known incompatibility there with the older Spring code?

[wilkinsona]

AFAIK, Spring Boot 1.5.x should work with Jackson 2.9.8. I'd strongly recommend an upgrade to 2.1.x in the near future though. 1.5.x will reach end of life in August.

[wilkinsona]

Note that the fixes for those CVEs are included in the 2.8.x line of Jackson as well so there should be no need to override the version. If you haven't already seen it, this blog post is recommended reading with regards to Jackson CVEs. Even on a version without the fixes, it's unlikely that your application would be vulnerable.