PRISMA-2023-0067: jackson-core package versions before 2.15.0 are vulnerable to Denial of Service (DoS)

Question

PRISMA-2023-0067: jackson-core package versions before 2.15.0 are vulnerable to Denial of Service (DoS)

tcherel opened this issue a year ago · comments

tcherel commented a year ago

See FasterXML/jackson-core#827

Can we get a rough estimate as when this upgrade might be done/available?

Thanks.

avinash1IBM · Answer 1 · Tue May 16 2023 21:56:36 GMT+0800 (China Standard Time)

Thanks for reporting the issue. I will work with our team and will update you with the rough estimate at the earliest. Thanks

avinash1IBM · Answer 2 · Mon May 22 2023 22:05:14 GMT+0800 (China Standard Time)

@tcherel We looked in the the vulnerability details that you shared, and found that the mentioned vulnerable function is not used at all in this java-sdk. So we will upgrade this dependency version and will include it the next release.

tcherel · Answer 3 · Mon May 22 2023 22:43:15 GMT+0800 (China Standard Time)

Thanks @avinash1IBM
Good to hear that it is not vulnerable but good to hear that you will upgrade anyway (some of our customers are pushing back as long as vulnerability is there).
Do you have a rough ETA for the next release?

avinash1IBM · Answer 4 · Mon Jun 05 2023 19:05:55 GMT+0800 (China Standard Time)

@tcherel a new version 2.13.1 of java is released which takes care of this vulnerability. So please close this issue.

tcherel · Answer 5 · Tue Jun 06 2023 00:37:02 GMT+0800 (China Standard Time)

Thanks @avinash1IBM
Closing.