CVE-2022-42003 - ibm-cos-java-sdk-bundle 2.12.0 contains vulnerable in jackson-databind 2.13.3

Question

mkrakow opened this issue 2 years ago · comments

The library jackson-databind version 2.13.3 is embedded in the latest version 2.12.0 of ibm-cos-java-sdk-bundle .

According to GHSA-57j2-w4cx-62h2 the above version of Jackson Databind is vulnerable.

Could you please fix COS Java SDK bundle with updated Jackson Databind library to 2.14.0 ?

IBMalok · Answer 1 · Thu Oct 13 2022 21:34:44 GMT+0800 (China Standard Time)

@mkrakow - Thanks for your report. We have an internal ticket to complete this work.

tcherel · Answer 2 · Fri Oct 21 2022 21:21:50 GMT+0800 (China Standard Time)

@IBMalok do you have an idea when that will be completed?
Jackson Databind library to 2.14.0 is not GA yet but 2.13.4.2 (already GA) contains all the fixes need for this vulnerability (as well as some of the recent new ones (https://nvd.nist.gov/vuln/detail/CVE-2022-42003 and https://nvd.nist.gov/vuln/detail/CVE-2022-42004).

IBMalok · Answer 3 · Thu Oct 27 2022 00:36:55 GMT+0800 (China Standard Time)

@tcherel - We're going to release soon.

IBMalok · Answer 4 · Fri Nov 04 2022 01:51:07 GMT+0800 (China Standard Time)

@mkrakow @tcherel - We have released 2.12.1 to address this issue. Please verify and close this ticket.

IBMalok · Answer 5 · Thu Nov 17 2022 15:39:10 GMT+0800 (China Standard Time)

Closing this issue as resolved.

tcherel · Answer 6 · Thu Nov 17 2022 18:48:20 GMT+0800 (China Standard Time)

@IBMalok my apologies, forgot to update the git issue to confirm that the issue is indeed fixed.
Thanks