Jackson-databind lib vulnerability

81 views
Skip to first unread message

pazyljo...@oath.com

unread,
Oct 20, 2017, 10:55:12 AM10/20/17
to SonarQube
We are a user of sonarqube. And recently we were warned about Jackson-databind libs' security vulnerability. I tweeted the sonarqube on tweeter, but got no response. This morning 6.6 is released, but with old versions of jackoson libs. I was wondering if this issue can get any attention from the dev team in this project.   

Eric Hartmann

unread,
Oct 20, 2017, 12:56:08 PM10/20/17
to pazyljo...@oath.com, SonarQube
Hi Pazyljon,

I did not see your tweet on this subject. This mailing list is really preferable for those subjects.
I've created https://jira.sonarsource.com/browse/SONAR-10018 that will be fixed in next LTS version (6.7).

Cheers,

On Fri, Oct 20, 2017 at 4:55 PM pazyljon.tursun via SonarQube <sona...@googlegroups.com> wrote:
We are a user of sonarqube. And recently we were warned about Jackson-databind libs' security vulnerability. I tweeted the sonarqube on tweeter, but got no response. This morning 6.6 is released, but with old versions of jackoson libs. I was wondering if this issue can get any attention from the dev team in this project.   

--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/b2e9804f-2701-4609-bb99-9cbd7d75c05f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Eric HARTMANN | SonarSource

bi...@stephens-family.com

unread,
May 8, 2018, 12:42:11 PM5/8/18
to SonarQube
Sonarqube 7.1 is running jackson-databind version 2.6.6.  It's vulnerable to CVE-2018-5968 (https://nvd.nist.gov/vuln/detail/CVE-2018-5968).  It should be upgraded to 2.9.4 or later (2.9.5 is current) to address the issue.

Simon Brandhof

unread,
May 11, 2018, 3:09:17 AM5/11/18
to bi...@stephens-family.com, SonarQube
The long road of vulnerability fixes :-) Jackson has already been upgraded recently to fix another CVE : https://jira.sonarsource.com/browse/SONAR-10608. I reopen the ticket to upgrade to 2.9.4+.
Thanks for the information Bill.


--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/f4fa4252-b433-4678-96b0-c173d8093a09%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.
--

Simon Brandhof | SonarSource

Co-Founder & Tech Lead

@SimonBrandhof

http://sonarsource.com
Reply all
Reply to author
Forward
0 new messages