Jackson Vulnerabilities

[Zack Macomber]

My company was told that Jackson (https://github.com/FasterXML/jackson) versions below 2.9.4 or 2.8.11 have vulnerabilities related to CVE-2017-7525, CVE-2017-15095 & CVE-2017-17485.  We have the Jackson annotations, core and databind jars all at 2.8.3.  When I grep dependency-check-report.xml that was produced from the most recent Jenkins run for those CVE entries, no matches are found.

Should those CVE entries be showing up on the report since I'm using 2.8.3?

[Jeremy Long]

Zach,

For some reason, CVE-2017-7525 and CVE-2017-15095 are currently not available in the NVD. If the vulnerability is not in the NVD data feed it will not be reported on. I just used the dependency-check-maven plugin with the following dependency and CVE-2017-17486 was identified:

<dependency>

    <groupId>com.fasterxml.jackson.core</groupId>

    <artifactId>jackson-databind</artifactId>

    <version>2.8.3</version>

</dependency>

How are you using dependency-check?  Command line, Jenkins pliugin, ant task, maven plugin, gradle plugin, sbt plugin, or lein plugin? In addition, which version number of dependency-check are you using?

--Jeremy

On Wed, Jan 31, 2018 at 3:27 PM, Zack Macomber <zmac...@avadasoftware.com> wrote:

My company was told that Jackson (https://github.com/FasterXML/jackson) versions below 2.9.4 or 2.8.11 have vulnerabilities related to CVE-2017-7525, CVE-2017-15095 & CVE-2017-17485.  We have the Jackson annotations, core and databind jars all at 2.8.3.  When I grep dependency-check-report.xml that was produced from the most recent Jenkins run for those CVE entries, no matches are found.

Should those CVE entries be showing up on the report since I'm using 2.8.3?

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-check+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Zack Macomber]

We're using version 3.1.1 of the OWASP Dependency-Check Plugin in Jenkins.

To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.

[Jeremy Long]

I just tested the CLI - which would behave exactly like the Jenkins plugin and the CVE was detected. Are any dependencies being identified? The plugin may not be setup correctly. Take a look at the generated report, by default it is XML but can be configured to ALL which will include an HTML report (note, from Jenkins you must download the HTML report and view it locally as Jenkins has a CSP that blocks most of the functionality). Are any dependencies listed? Note - they would be listed in the report even if they did not have a vulnerability associated with them (in the HTML report you would have to click on the 'display all dependencies' link).

--Jeremy

To unsubscribe from this group and stop receiving emails from it, send an email to dependency-check+unsubscribe@googlegroups.com.

[Zack Macomber]

Hi Jeremy,

I think we're all set for now.  I forgot to update this ticket and say that I actually did see jackson-databind show up as a vulnerability in a recent run before I upgraded our Jackson libraries.

[DP Rajasekhar]

Hi Jeremy , 

We are trying to run cli /jenkins plugin on jackson-databind-2.9.0.jar and its not showing up in the vulnerability scan . I have opened h2 db and observed that the patterns were "cpe:/a:fasterxml:jackson-databind:2.8.11" ,"cpe:/a:fasterxml:jackson-databind:2.8.10" . Any idea on why it was behaving like this ?

[DP Rajasekhar]

I have tried downloading the feed from the nisd and it seems the feed is providing this pattern which makes jars not be detected as vulnerable .

[Jeremy Long]

This is being tracked as github issue #1088.

--Jeremy