[JOC-728] Update Jackson Databind version to >= 2.9.9.2 due to 3rd party vulnerability issue (CVE-2019-14379, CVE-2019-14439) - SOS JIRA

XML

Word

Printable

Details

Type: Fix
Status: Released (View Workflow)
Priority: Minor
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.12.10
Component/s: JOC Cockpit Web Service
Labels:
None

CVE-ID:
CVE-2019-14379, CVE-2019-14439

Description

Current Situation

Currently JOC Cockpit and JobScheduler use Jackson Databind version 2.9.9.
A vulnerability affects this version, see https://www.cvedetails.com/cve/CVE-2019-14379/ and https://www.cvedetails.com/cve/CVE-2019-14439/

Desired Behavior

Due to a vulnerability Issue of older Jackson releases the JOC Cockpit as well as the JobScheduler should use the current version 2.9.9.2 that fixes the issues.

Maintainer Notes

Release 1.11 that includes Jackson version 2.4.3 is at its end of life. Therefore no maintenance release is provided.
Users of release 1.11 should therefore upgrade to release 1.12.10.

Attachments

Activity

People

Assignee:: Santiago Aucejo Petzoldt

Reporter:: Andreas Püschel

Approver:: Kanika Agrawal

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 02 August 2019 06:02

Updated:: 29 July 2020 21:32

Resolved:: 05 August 2019 11:14