Do Jackson libraries use asm objectweb libraries ?

[Ron Karim]

Does Jackson libraries require asm objectweb library for bytecode manipulation and other tasks ?

Jersey has repackaged asm libraries included, but does any version of jackson have repackaged asm libraries ?

Ron Karim, Enterprise Technology Group, Oracle Corporation

[Joo Hyuk Kim]

Can u also share t reference to mentioned Jersey library?  

2025년 3월 13일 (목) 오전 6:59, Ron Karim <ron....@gmail.com>님이 작성:

Does Jackson libraries require asm objectweb library for bytecode manipulation and other tasks ?

Jersey has repackaged asm libraries included, but does any version of jackson have repackaged asm libraries ?

Ron Karim, Enterprise Technology Group, Oracle Corporation

--
You received this message because you are subscribed to the Google Groups "jackson-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jackson-user...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/jackson-user/6fda6b35-0a12-492a-be1e-f64715e2b031n%40googlegroups.com.

[Tatu Saloranta]

Not core components (jackson-annotations, jackson-core, jackson-databind).

But 2 extension modules do use Asm:

* jackson-module-afterburner
* jackson-module-mrbean

and include it as shaded (re-packaged) classes. But those are optional
modules user has to specifically depend on.

-+ Tatu +-

[Ron Karim]

Thank you for the detailed explanation, we were encountering some errors with asm objectweb and jackson, turns out it has to do with jersey libraries.

[Tatu Saloranta]

Ok, thank you for the context here.

-+ Tatu +-

> --
> You received this message because you are subscribed to the Google Groups "jackson-user" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to jackson-user...@googlegroups.com.

> To view this discussion visit https://groups.google.com/d/msgid/jackson-user/e6819c7e-7b75-4ddf-925a-638f7a4ecbcfn%40googlegroups.com.

[Ron Karim]

Hi Tatu,

We have to use jackson version 2.14.2  for a large enterprise-level application which still requires Java 7.

There are 2 CVE's against the jackson 2.14.2 (CVE-2025-52999,CVE-2023-35116 ).  The recommendation is to use Jackson version  2.15 which requires java 8.

Is there a  jackson 2.14.2 version (on Java 7 runtime)  with these CVE issues fixed that we can use in the application ?

We cannot update JDK .7 in this application at this time.

Thanks,

Ron 

--
You received this message because you are subscribed to the Google Groups "jackson-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jackson-user...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/jackson-user/CAL4a10g29qYOOzKPvO1B9h%2BVsSb-HVdH5AGzC6BTeiCfmkRFbQ%40mail.gmail.com.

--

Thanks,

Ron

[Joo Hyuk Kim]

If you check the project Github Issues You might find some.

2026년 1월 29일 (목) 오전 7:06, Ron Karim <ron....@gmail.com>님이 작성:

To view this discussion visit https://groups.google.com/d/msgid/jackson-user/CAM_Jm2oNGnxc2Fgf1tfjbjEEGETFXjU_-smJpuVFtTYQdOGZ8w%40mail.gmail.com.

[Ron Karim]

Thank You, appreciate the reference. Since we are a large corp, it has to be officially out of the same resources as jackson.

Ron

To view this discussion visit https://groups.google.com/d/msgid/jackson-user/CALS-ipz02nD%3DA7oX5mevnVMfH1daSoiH3AFmeqyrWDoQ5%2BTcSg%40mail.gmail.com.

--

Thanks,

Ron

[Tatu Saloranta]

I am traveling with limited access. There is 2.14.3 (see mvnrepository.com) but I suspect it has at least 52999 remaining.

I dont see further 2.14 releases.

Ill be back next week and have anothe look.

/Tatu

To view this discussion visit https://groups.google.com/d/msgid/jackson-user/CAM_Jm2oNGnxc2Fgf1tfjbjEEGETFXjU_-smJpuVFtTYQdOGZ8w%40mail.gmail.com.

[Tatu Saloranta]

On Thu, Jan 29, 2026 at 10:29 PM Tatu Saloranta <tsalo...@gmail.com> wrote:

I am traveling with limited access. There is 2.14.3 (see mvnrepository.com) but I suspect it has at least 52999 remaining.

I dont see further 2.14 releases.

Ill be back next week and have anothe look.

/Tatu

On Thu, Jan 29, 2026 at 12:06 AM Ron Karim <ron....@gmail.com> wrote:

Hi Tatu,

We have to use jackson version 2.14.2  for a large enterprise-level application which still requires Java 7.

There are 2 CVE's against the jackson 2.14.2 (CVE-2025-52999,CVE-2023-35116 ).  The recommendation is to use Jackson version  2.15 which requires java 8.

Ok: so:

* CVE-2025-52999 fixed via  https://github.com/FasterXML/jackson-core/pull/943  -- version 2.15.0 and above. Cannot be backported, sizable changes (plus building and releasing of pre-2.18 would be problematic wrt Sonatype publishing changes)

* CVE-2023-35116: is basically invalid (see my suggestion on https://github.com/FasterXML/jackson-databind/issues/3972 wrt what submitter should do). But it also happens to be resolved by 2.16 fix:

     * Issue: https://github.com/FasterXML/jackson-core/issues/1048

     * PR https://github.com/FasterXML/jackson-core/pull/1055 

 

Be that as it may, I am confused here:

Is there a  jackson 2.14.2 version (on Java 7 runtime)  with these CVE issues fixed that we can use in the application ?

We cannot update JDK .7 in this application at this time.

Because looking at https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.13 

"Compatibility: JDK requirements" indicates that the JDK baseline for `jackson-databind` was raised to Java 8 for 2.13.0.

And further, 2.14 raised it for `jackson-core`.

If this is the case, I don't think Java 7 constraint is true if 2.14.x has already been in use.

Finally: if `jackson-databind` 2.15+ is problematic, it is likely that `jackson-core` version can be increased separately (to at least next minor version) -- databind requires certain minimum version of core, but reverse is not strictly true: usually newer "jackson-core" works with older "jackson-databind". But not the reverse.

I hope this helps,

-+ Tatu +-

[Tamás Cservenák]

Just FTR, regarding this bit "plus building and releasing of pre-2.18
would be problematic wrt Sonatype publishing changes".
I can recommend (and help with) Maveniverse Njord, that is able to
locally stage/capture and publish to Sonatype Central Portal any
project, like legacy ones, as showcased in doco:
https://maveniverse.eu/docs/njord/using-it/#using-it

Thanks
T

> To view this discussion visit https://groups.google.com/d/msgid/jackson-user/CAGrxA27n9Ommp5rA2SK6KTJCyhr3chsN1R9tN%3De7FZ1EAGcuaA%40mail.gmail.com.

[Tatu Saloranta]

On Mon, Feb 2, 2026 at 3:25 PM Tamás Cservenák <ta...@cservenak.net> wrote:

Just FTR, regarding this bit "plus building and releasing of pre-2.18
would be problematic wrt Sonatype publishing changes".
I can recommend (and help with) Maveniverse Njord, that is able to
locally stage/capture and publish to Sonatype Central Portal any
project, like legacy ones, as showcased in doco:
https://maveniverse.eu/docs/njord/using-it/#using-it

Thanks
T

Thank you! This is good info to have,

-+ Tatu +-

 

To view this discussion visit https://groups.google.com/d/msgid/jackson-user/CAPLpRQJHu4jk0o7VFL1BQ%3Dskc-4yVXa_C90gfU7L5dXBE_iVZw%40mail.gmail.com.