[REQUEST REPLY] Vulnerabilities reported on NIST for jackson-databind:2.6.7.4 are not complete
54 views
Skip to first unread message
Mario Arzileiro
Feb 19, 2021, 10:48:09 AM2/19/21
to jackson-user
Hi,
I was checking the information that we have available for jackson-databind:2.6.7.4 on NIST NVD and it is showing Vulnerabilities (CVEs) that are already fixed.
Link for jackson-databind:2.6.7.4:
Link for the vulnerabilities list "here".
List of vulnerabilities fixed and the corresponding fixed version:
CVE | Fixed version
CVE-2018-11307 | 2.6.7.3
CVE-2019-16942 | 2.6.7.3
CVE-2020-9547 | 2.6.7.4
CVE-2019-20330 | 2.6.7.4
CVE-2020-8840 | 2.6.7.4
CVE-2020-9546 | 2.6.7.4
CVE-2020-9548 | 2.6.7.4
CVE-2019-16335 | 2.6.7.3
CVE-2017-15095 | 2.6.7.2
CVE-2019-14893 | 2.6.7.3
CVE-2019-17267 | 2.6.7.3
CVE-2019-14540 | 2.6.7.3
CVE-2020-11111 | 2.6.7.4
CVE-2020-11113 | 2.6.7.4
CVE-2020-10672 | 2.6.7.4
CVE-2020-10969 | 2.6.7.4
CVE-2020-10968 | 2.6.7.4
CVE-2020-10673 | 2.6.7.4
CVE-2020-11112 | 2.6.7.4
CVE-2020-14060 | 2.6.7.4
CVE-2020-11620 | 2.6.7.4
CVE-2020-24616 | 2.6.7.4
CVE-2020-14195 | 2.6.7.4
CVE-2020-11619 | 2.6.7.4
CVE-2020-24750 | 2.6.7.4
CVE-2020-14061 | 2.6.7.4
CVE-2020-14062 | 2.6.7.4
Please let me know if you are aware of it, and when are you expecting to have this fixed.
Best regards,
The content of this email is confidential and intended for the recipient specified in message only. It is strictly prohibited to share any part of this message with any third party, without a written consent of the sender. If you received this message by mistake, please reply to this message and follow with its deletion, so that we can ensure such a mistake does not occur in the future.
Tatu Saloranta
Feb 19, 2021, 12:30:48 PM2/19/21
to jackson-user
I am not quite sure what the question here is.
What is not fixed, where? According to whom? Since most CVEs are against jackson-databind, you can see issue tracker here:
and either search for "cve" (usually mentioned in the title), or label "cve".
Release notes under
contain updates too, although if you are interested in branch 2.6, you'll have to check that branch (under 'release-notes/2.6).
Note, however, that branch 2.6 is not maintained and it is unlikely anything would be fixed or released for that branch, beyond what has been backported by community members (Amazon OSS folks have been helpful with that).
-+ Tatu +-
Best regards,
The content of this email is confidential and intended for the recipient specified in message only. It is strictly prohibited to share any part of this message with any third party, without a written consent of the sender. If you received this message by mistake, please reply to this message and follow with its deletion, so that we can ensure such a mistake does not occur in the future.
--
You received this message because you are subscribed to the Google Groups "jackson-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jackson-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/2fb7c750-4f62-4154-a753-808e79c64a7an%40googlegroups.com.
Mario Arzileiro
Feb 23, 2021, 6:22:41 AM2/23/21
to jackson-user
Hello,
Sorry if I wasn't clear, let me just enumerate some assumptions, if any of this is not true, please let me know and we can clarify if needed:
* You know what NVD from NIST identifies the CVEs of public components;
* You know that jackson-databind vulnerabilities are identified on NVD;
* You know that vulnerability scan tools (such as Synopsys Blackduck or Snyk) rely on NVD as Source of Truth.
When I first contacted you, the vulnerabilities identified by NVD were not complete correct. There were a lot of CVEs that you already have fixed on jackson-databind:2.6.7.4.
I also contacted NIST about this issue and they already update their database. Now, they only identify 4 CVEs check this link.
I think that right know, you just need to validate that the remaining CVEs are accurr, and if not, contact them too with further information.
Why this is important?
Companies rely on Vulnerability scan tools, and those tools rely on this NVD database. It's essential for your project that this information is up to date, in order to give the exact information for risk assessment analysis and, since the CVEs are wrongly reported, you want that info to be shared and show that your product is safe.
Right now, there is a tool (Blackduck) that reports jackson-databind:2.6.7.4 to have 50+ CVEs, which is not true.
I think that I don't have more information to give. Please use this as your will, if you have more doubts please let me know.
Thanks
Tatu Saloranta
Feb 23, 2021, 2:14:42 PM2/23/21
to jackson-user
On Tue, Feb 23, 2021 at 3:22 AM Mario Arzileiro <mario.a...@feedzai.com> wrote:
Hello,Sorry if I wasn't clear, let me just enumerate some assumptions, if any of this is not true, please let me know and we can clarify if needed:* You know what NVD from NIST identifies the CVEs of public components;* You know that jackson-databind vulnerabilities are identified on NVD;* You know that vulnerability scan tools (such as Synopsys Blackduck or Snyk) rely on NVD as Source of Truth.When I first contacted you, the vulnerabilities identified by NVD were not complete correct. There were a lot of CVEs that you already have fixed on jackson-databind:2.6.7.4.I also contacted NIST about this issue and they already update their database. Now, they only identify 4 CVEs check this link.I think that right know, you just need to validate that the remaining CVEs are accurr, and if not, contact them too with further information.
I think that at this point if you want this information, you will go and do that.
I do not recall you paying my salary, or being a customer of any sort.
Why this is important?Companies rely on Vulnerability scan tools, and those tools rely on this NVD database. It's essential for your project that this information is up to date, in order to give the exact information for risk assessment analysis and, since the CVEs are wrongly reported, you want that info to be shared and show that your product is safe.Right now, there is a tool (Blackduck) that reports jackson-databind:2.6.7.4 to have 50+ CVEs, which is not true.I think that I don't have more information to give. Please use this as your will, if you have more doubts please let me know.
You are free to do whatever work you want, but it seems extremely arrogant to come here to demand I (or anyone else) do things you need. This is not far removed from "I got this homework for my CS class can you please write a solution for me", as I see it.
I work with community members on things reported but this only works when everyone collaborates and contributes something. You are just posting a big laundry list of stuff that you are worried about asking for someone else doing something; others to spend their time.
In fact I hate having spent time even responding, at this point.
-+ Tatu +-
To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/8b7f72f1-f458-41ce-8602-14c5d6241a94n%40googlegroups.com.
Tatu Saloranta
Feb 23, 2021, 2:26:33 PM2/23/21
to jackson-user
On Tue, Feb 23, 2021 at 11:14 AM Tatu Saloranta <tsalo...@gmail.com> wrote:
On Tue, Feb 23, 2021 at 3:22 AM Mario Arzileiro <mario.a...@feedzai.com> wrote:Hello,Sorry if I wasn't clear, let me just enumerate some assumptions, if any of this is not true, please let me know and we can clarify if needed:* You know what NVD from NIST identifies the CVEs of public components;* You know that jackson-databind vulnerabilities are identified on NVD;* You know that vulnerability scan tools (such as Synopsys Blackduck or Snyk) rely on NVD as Source of Truth.When I first contacted you, the vulnerabilities identified by NVD were not complete correct. There were a lot of CVEs that you already have fixed on jackson-databind:2.6.7.4.I also contacted NIST about this issue and they already update their database. Now, they only identify 4 CVEs check this link.I think that right know, you just need to validate that the remaining CVEs are accurr, and if not, contact them too with further information.I think that at this point if you want this information, you will go and do that.I do not recall you paying my salary, or being a customer of any sort.Why this is important?Companies rely on Vulnerability scan tools, and those tools rely on this NVD database. It's essential for your project that this information is up to date, in order to give the exact information for risk assessment analysis and, since the CVEs are wrongly reported, you want that info to be shared and show that your product is safe.Right now, there is a tool (Blackduck) that reports jackson-databind:2.6.7.4 to have 50+ CVEs, which is not true.I think that I don't have more information to give. Please use this as your will, if you have more doubts please let me know.You are free to do whatever work you want, but it seems extremely arrogant to come here to demand I (or anyone else) do things you need. This is not far removed from "I got this homework for my CS class can you please write a solution for me", as I see it.I work with community members on things reported but this only works when everyone collaborates and contributes something. You are just posting a big laundry list of stuff that you are worried about asking for someone else doing something; others to spend their time.In fact I hate having spent time even responding, at this point.
Mario,
After re-reading your message, I realized I misunderstood and overreacted, based on commenting just on the first message with a long list of ids. There have been cases on issue tracker where I feel there has been sense of entitlement -- but your message is not one.
Since you did already work through the list, I was mistaken to think you have not collaborated here or done part of the process. I am sorry for claiming you have not helped.
Now. Since there are only remaining 4 cves, I will check out the link and see what can be done; keeping in mind that 2.6.x branch is long closed.
-+ Tatu +-
Tatu Saloranta
Feb 23, 2021, 2:55:13 PM2/23/21
to jackson-user
On Tue, Feb 23, 2021 at 11:26 AM Tatu Saloranta <tsalo...@gmail.com> wrote:
>
> On Tue, Feb 23, 2021 at 11:14 AM Tatu Saloranta <tsalo...@gmail.com> wrote:
>>
>> On Tue, Feb 23, 2021 at 3:22 AM Mario Arzileiro <mario.a...@feedzai.com> wrote:
>>>
>>> Hello,
>>>
>>> Sorry if I wasn't clear, let me just enumerate some assumptions, if any of this is not true, please let me know and we can clarify if needed:
>>> * You know what NVD from NIST identifies the CVEs of public components;
>>> * You know that jackson-databind vulnerabilities are identified on NVD;
>>> * You know that vulnerability scan tools (such as Synopsys Blackduck or Snyk) rely on NVD as Source of Truth.
>>>
>>> When I first contacted you, the vulnerabilities identified by NVD were not complete correct. There were a lot of CVEs that you already have fixed on jackson-databind:2.6.7.4.
>>> I also contacted NIST about this issue and they already update their database. Now, they only identify 4 CVEs check this link.
>>>
>>> I think that right know, you just need to validate that the remaining CVEs are accurr, and if not, contact them too with further information.
Of 4 remaining CVEs, 3 do affect 2.6.7.4 (information is correct), but
>
> On Tue, Feb 23, 2021 at 11:14 AM Tatu Saloranta <tsalo...@gmail.com> wrote:
>>
>> On Tue, Feb 23, 2021 at 3:22 AM Mario Arzileiro <mario.a...@feedzai.com> wrote:
>>>
>>> Hello,
>>>
>>> Sorry if I wasn't clear, let me just enumerate some assumptions, if any of this is not true, please let me know and we can clarify if needed:
>>> * You know what NVD from NIST identifies the CVEs of public components;
>>> * You know that jackson-databind vulnerabilities are identified on NVD;
>>> * You know that vulnerability scan tools (such as Synopsys Blackduck or Snyk) rely on NVD as Source of Truth.
>>>
>>> When I first contacted you, the vulnerabilities identified by NVD were not complete correct. There were a lot of CVEs that you already have fixed on jackson-databind:2.6.7.4.
>>> I also contacted NIST about this issue and they already update their database. Now, they only identify 4 CVEs check this link.
>>>
>>> I think that right know, you just need to validate that the remaining CVEs are accurr, and if not, contact them too with further information.
one has been fixed in 2.6.7.4:
* https://nvd.nist.gov/vuln/detail/CVE-2020-10673 /
https://github.com/FasterXML/jackson-databind/issues/2660
I am not sure what the way is to indicate updated information, but I
did update issue #2660 description to indicate that the fix
was backported in 2.6 branch and released in 2.6.7.4.
-+ Tatu +-
Mario Arzileiro
Feb 25, 2021, 9:22:52 AM2/25/21
to jackson-user
Hello Tatu,
Thanks for the heads-up.
I already follow up on the request for NIST by mentioning that thread in order to update it.
Must appreciate,
Mário
Tatu Saloranta
Feb 25, 2021, 2:27:24 PM2/25/21
to jackson-user
Thank you! I saw the thread; good that the status of issues now seems to be correct wrt 2.6.7.4.
-+ Tatu +-
The content of this email is confidential and intended for the recipient specified in message only. It is strictly prohibited to share any part of this message with any third party, without a written consent of the sender. If you received this message by mistake, please reply to this message and follow with its deletion, so that we can ensure such a mistake does not occur in the future. --
You received this message because you are subscribed to the Google Groups "jackson-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jackson-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/856412d8-edac-4a47-b7f1-e3ccfe29ea71n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages