cf-java-logging-support icon indicating copy to clipboard operation
cf-java-logging-support copied to clipboard
verified publisher icon SAP

Upgrade `jackson-jr-objects` to `2.15.0` or higher to remediate DDoS vulnerability

Open abiskop opened this issue 1 year ago • 1 comments

Release cf-java-logging-support-log4j2: 3.8.4 transitively depends on jackson-core: 2.14.2:

[INFO] |  +- com.sap.hcp.cf.logging:cf-java-logging-support-log4j2:jar:3.8.4:compile
[INFO] |  |  \- com.sap.hcp.cf.logging:cf-java-logging-support-core:jar:3.8.4:compile
[INFO] |  |     \- com.fasterxml.jackson.jr:jackson-jr-objects:jar:2.14.2:compile
[INFO] |  |        \- com.fasterxml.jackson.core:jackson-core:jar:2.14.2:compile

Library jackson-core: 2.14.2 contains a DDoS vulnerability, see e.g.: https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-7569538

Please consider upgrading to 2.15.0 or higher.

abiskop avatar Dec 27 '24 10:12 abiskop

Thanks, for raising this issue. Note, that the vulnerability is during deserialization of JSON data. This library uses jackson only for serialization. Nevertheless, I will upgrade the dependency and create a new library version soon.

KarstenSchnitter avatar Dec 31 '24 15:12 KarstenSchnitter

Hi @KarstenSchnitter, do you know when this fix might be released?

swendlandt avatar Apr 22 '25 07:04 swendlandt

Originally, I did not plan a release for this change, but I am going to create one within the next 2 weeks.

KarstenSchnitter avatar Apr 24 '25 05:04 KarstenSchnitter

Fixed with release v3.8.5.

KarstenSchnitter avatar May 14 '25 08:05 KarstenSchnitter