CVE-2023-35116: jackson-databind package versions before 2.16.0

Question

CVE-2023-35116: jackson-databind package versions before 2.16.0

hbornstein747 opened this issue 9 months ago · comments

See FasterXML/jackson-databind#3972 and https://nvd.nist.gov/vuln/detail/CVE-2023-35116

Even after updating to suggested version for this CVE, it is still being reported as vumnerable and now requires yet another upgrade to jackson-databind 2.16.0. This is related to #63

Can it be done for the COS SDK?
cc: @tcherel

avinash1IBM · Answer 1 · Thu Dec 14 2023 13:55:15 GMT+0800 (China Standard Time)

@hbornstein747 the jackson-databind team didn't agree that it is a vulnerability FasterXML/jackson-databind#3972 (comment), and even if we upgrade the package to 2.16.0, then the same vulnerability will be flagged again. Even the nvd site that you shared above added a note saying this
NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.

So can you please close this ticket?

Harvey Bornstein · Answer 2 · Fri Dec 15 2023 00:22:04 GMT+0800 (China Standard Time)

@tcherel ^^^

Harvey Bornstein · Answer 3 · Fri Dec 15 2023 00:24:46 GMT+0800 (China Standard Time)

@avinash1IBM I agree that this is just churn and the vulnerability will likely come up again, but we (CP4D team at IBM) are being asked to update databind regardless. I don't want to close the ticket until our securoty focal (@tcherel) can comment.

avinash1IBM · Answer 4 · Fri Feb 09 2024 12:04:47 GMT+0800 (China Standard Time)

@hbornstein747 A new version of ibm-cos-sdk-java is released to fix this. Please close this issue