Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resolving jackson-mapper-asl vulnerability #24121

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Resolving jackson-mapper-asl vulnerability #24121

wants to merge 2 commits into from

Conversation

KarthikaPKumar
Copy link

Description

Identified security vulnerability issues of severity high from jackson-mapper-asl and resolved the same.
Excluded the transitive dependency of jackson-mapper-asl occuring from parent packages that does not break the build or impact the functionality but removes the said exploitable.

Motivation and Context

Vulnerabilities Direct vulnerabilities:
CVE-2019-10202
CVE-2019-10172

Impact

A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.

Test Plan

Contributor checklist

  • Please make sure your submission complies with our development, formatting, commit message, and attribution guidelines.
  • PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
  • Documented new properties (with its default value), SQL syntax, functions, or other functionality.
  • If release notes are required, they follow the release notes guidelines.
  • Adequate tests were added if applicable.
  • CI passed.

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== NO RELEASE NOTE ==

@tdcmeehan tdcmeehan added the from:IBM PR from IBM label Nov 22, 2024
@prestodb-ci prestodb-ci requested review from a team, pratyakshsharma and auden-woolfson and removed request for a team November 22, 2024 15:54
@prestodb-ci
Copy link

Saved that user @KarthikaPKumar is from IBM

auden-woolfson
auden-woolfson reviewed Nov 22, 2024
View reviewed changes
Copy link
Contributor

@auden-woolfson auden-woolfson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

agrawalreetika
agrawalreetika reviewed Nov 25, 2024
View reviewed changes
Copy link
Member

@agrawalreetika agrawalreetika left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@KarthikaPKumar I just tried to look the dependency tree of presto-hive & presto-hive-hadoop2 but I couldn't find org.codehaus.jackson:org.codehaus.jackson in there.

Could you please confirm me, how did you check for it?

@pratyakshsharma
Copy link
Contributor

@KarthikaPKumar can you please respond to above question?

@KarthikaPKumar
Copy link
Author

@KarthikaPKumar I just tried to look the dependency tree of presto-hive & presto-hive-hadoop2 but I couldn't find org.codehaus.jackson:org.codehaus.jackson in there.

Could you please confirm me, how did you check for it?

Hi @agrawalreetika
Since it is a transitive dependency. You will have to use maven dependency tree and pinpoint the source jar and run it through the scan to get the path. Or simply remove the exclusion and try checking in the dependency tree.

@pratyakshsharma
Copy link
Contributor

pratyakshsharma commented Dec 17, 2024
edited
Loading

The dependency tree does not show this transitive dependency, I tried checking on master branch @KarthikaPKumar. Can you try running and share a screenshot if possible? Probably this dependency is deep down into the tree and is not showing. Running through the scan seems to be the only way to see it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@agrawalreetika agrawalreetika agrawalreetika left review comments

@auden-woolfson auden-woolfson auden-woolfson left review comments

@hantangwangd hantangwangd Awaiting requested review from hantangwangd hantangwangd is a code owner

@ZacBlanco ZacBlanco Awaiting requested review from ZacBlanco ZacBlanco is a code owner

@vinothchandar vinothchandar Awaiting requested review from vinothchandar vinothchandar is a code owner

@7c00 7c00 Awaiting requested review from 7c00 7c00 is a code owner

@presto-oss presto-oss Awaiting requested review from presto-oss presto-oss is a code owner automatically assigned from prestodb/committers

@pratyakshsharma pratyakshsharma Awaiting requested review from pratyakshsharma pratyakshsharma was automatically assigned from prestodb/ibm-reviewers

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
from:IBM PR from IBM
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@KarthikaPKumar @prestodb-ci @pratyakshsharma @agrawalreetika @auden-woolfson @tdcmeehan