Jackson library upgrade on Payara 5.201

[praveen verma]

Payara is using FasterXML (https://github.com/FasterXML/jackson) API which is implementation of various Jackson APIs.

 

Jackson is very powerful and  easy to use for various purpose (mainly considering json) but it has very long history of having XXE/SSRF vulnerabilities.

we are updating Jackson libraries in our code as a part of Veracode SCA from time to time.

 

If you take a close look at Payara security fix page (https://docs.payara.fish/community/docs/5.2020.2/security/security-fix-list.html) you will see almost all the Payara released versions have Jackson (Databind or FasterXML) related flaws reported/fixed.

My question is, Is it possible to upgrade just the Jackson libraries (or any other library) instead of whole Payara upgrade to a newer version? TIA

[Rudy De Busscher]

Hi,

Yes it is possible to change the Jackson version by dropping the required JAR files in the <payara-home>/glassfish/modules directory (replacing the current ones). Important is that it requires 100% compatibility (no changed method signatures etc) as otherwise it will break the startup of Payara or your application.

Another option is to include them in your application and change the classloading as described here https://docs.payara.fish/community/docs/5.2020.2/documentation/payara-server/classloading.html

Regards

Rudy

[Ryan de Laplante (Personal)]

When you replace a module in that directory, I think you need to delete the glassfish\domains\domain1\osgi-cache\felix directory so that it uses the new version of the module.  It will rebuild that directory when you start Payara.

Ryan

--
You received this message because you are subscribed to the Google Groups "Payara Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to payara-forum...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/payara-forum/f4b63aec-3542-4858-bf37-5d69a2ae70b1o%40googlegroups.com.