Question on which jackson library to use due to CVE against 2.10.2

[Ron Karim (Oracle Corp.)]

Oracle corp. uses jackson_databind 2.10.2 widely across may product lines.

The latest CVE requires us to move to any of the following versions :

2.11.0, 2.10.5.1 OR 2.9.10.8 

Any recommendations on which version would be the most compatible and secure if we are currently on jackson 2.10.2 ?

We are tentatively considering version 2.10.5.1.

Thanks,

Ron

[Tatu Saloranta]

I would go with that: just note that for components other than
`jackson-databind` there is just 2.10.5 (you can use `jackson-bom`
version `2.10.5.20201202` to get a consistent set -- see
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.10)
released.

Later on it would probably make sense to upgrade to the latest 2.11
patch, 2.11.4 (there is rarely if ever any benefit to go anything
but the latest patch of a given minor version). But as the first step,
2.10.5.1 sounds like a good option.

-+ Tatu +-

>
>
> Thanks,
> Ron
>
> --
> You received this message because you are subscribed to the Google Groups "jackson-user" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to jackson-user...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/ded92846-be5d-42a9-9b72-bd40e6f416c3n%40googlegroups.com.

[Ron Karim (Oracle Corp.)]

Thank you kindly. We will go with jackson_databind 2.10.5.

We also need to include jackson_core and jackson_annotations with this upgrade.

Would you please recommend the most compatible release versions we should bundle with jackson_databind 2.10.5.1 for

1. jackson_annotations

2. jackson_core ?

As the upgrade patch will be used by a huge number of products across the corporate spectrum we wanted to be certain. Mistakes in the past with these combinations proved very costly. Thanks.

[Ron Karim (Oracle Corp.)]

We will be using these 3 jars for our latest jackson libraries update due to recent CVEs:

Assuming that jackson_annotations and jackson_core version 2.10.5 will be compatible with jackson_databind 2.10.5.1

jackson_databind 2.10.5.1             from : https://repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-databind/2.10.5.1/

jackson_annotations.jar 2.10.5      from : https://repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-annotations/2.10.5/

jackson_core.jar 2.10.5                     https://repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-core/2.10.5/

Kindly let us know if there will be any issuew with this patch bundle (going out to all users)

On Wednesday, February 24, 2021 at 10:41:51 AM UTC-8 Ron Karim (Oracle Corp.) wrote:

Thank you kindly. We will go with jackson_databind 2.10.5.1

[Tatu Saloranta]

On Wed, Feb 24, 2021 at 10:41 AM Ron Karim (Oracle Corp.)
<ron....@gmail.com> wrote:
>
> Thank you kindly. We will go with jackson_databind 2.10.5.
> We also need to include jackson_core and jackson_annotations with this upgrade.
> Would you please recommend the most compatible release versions we should bundle with jackson_databind 2.10.5.1 for
> 1. jackson_annotations
> 2. jackson_core ?

For jackson-core that would be 2.10.5. For jackson-annotations it does
not matter as all 2.10.x versions are identical (no changes
are ever made in patch releases for annotations).
But for simplicity, most users go with 2.10.5.

If you could import "bill-of-materials" (Bom) style parent pom, this:

https://mvnrepository.com/artifact/com.fasterxml.jackson/jackson-bom/2.10.5.20201202

is what would be recommended. As can be seen from:

https://repo1.maven.org/maven2/com/fasterxml/jackson/jackson-bom/2.10.5.20201202/jackson-bom-2.10.5.20201202.pom

the versions it specifies are:

* jackson-databind 2.10.5.1
* jackson-core 2.10.5
* jackson-annotations 2.10.5

I hope this helps,

-+ Tatu +-

> To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/26702a87-859e-456f-9f02-6a2e2b5668e0n%40googlegroups.com.