Loading...

XML

Word

Printable

Type: New Feature
Resolution: Done
Priority: Major
Fix Version/s: 8.5.1
Affects Version/s: 8.0.5, 8.5.0, 8.5.1
Component/s: Databind 2
Security Level: Jimmy
Labels:
- binding
- client
- security

Upgrade the dackson-databind dependency to address known vulnerabilities:

https://access.redhat.com/security/cve/cve-2017-7525
https://access.redhat.com/security/cve/cve-2017-15095
https://access.redhat.com/security/cve/cve-2017-17485

fixed in by
https://github.com/FasterXML/jackson-databind/issues/1599#issuecomment-342983770
https://github.com/FasterXML/jackson-databind/issues/1837
https://github.com/FasterXML/jackson-databind/issues/1855

The latest fix is only available in 2.8.11 and 2.9.4 (both only supporting Java >=7)

Workaround

Manually add the dependency for 2.9.4

<dependency>
    <groupId>com.fasterxml.jackson.core</groupId>
    <artifactId>jackson-databind</artifactId>
    <version>2.9.4</version>
</dependency>

exclude jackson-databind and use the GSON converter instead:

<dependency>
	<groupId>org.zkoss.zk</groupId>
	<artifactId>zkmax</artifactId>
	<version>${zk.version}</version>
	<exclusions>
		<exclusion>
			<groupId>com.fasterxml.jackson.core</groupId>
			<artifactId>jackson-databind</artifactId>
		</exclusion>
	</exclusions>
</dependency>

in zk.xml (configure the alternative converter)

<library-property>
	<name>org.zkoss.bind.jsonBindingParamConverter.class</name>
	<value>org.zkoss.zkmax.bind.GsonConverter</value>
</library-property>

Assignee:: rudyhuang

Reporter:: cor3000

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 01/Feb/18 6:17 AM

Updated:: 02/Feb/18 10:20 AM

Resolved:: 02/Feb/18 10:20 AM

Estimated:

Remaining:

Logged:

Details

Description

Workaround

Attachments

Activity

People

Dates

Time Tracking