Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2023-35116: jackson-databind package versions before 2.15.2 are vulnerable to Denial of Service (DoS) #63

Closed
tcherel opened this issue Nov 13, 2023 · 9 comments
Closed

CVE-2023-35116: jackson-databind package versions before 2.15.2 are vulnerable to Denial of Service (DoS) #63

tcherel opened this issue Nov 13, 2023 · 9 comments

Comments

@tcherel
Copy link

tcherel commented Nov 13, 2023
edited
Loading

See FasterXML/jackson-databind#3972 and https://nvd.nist.gov/vuln/detail/CVE-2023-35116

It requires an upgrade to jackson-databind 2.15.3
Can it be done for the COS SDK?

Thanks.
@avinash1IBM
Copy link
Member

This will be addressed and will release a new version shortly

@kashok7474
Copy link

will next version address https://nvd.nist.gov/vuln/detail/CVE-2023-35116 ?

@avinash1IBM
Copy link
Member

@kashok7474 yes, you can take a look at this FasterXML/jackson-databind#3972 (comment)

@tcherel
Copy link
Author

tcherel commented Nov 22, 2023

@avinash1IBM do you have an ETA for the new cos SDK version with the jackson-databind upgrade?
Just trying to figure out if we can get it included in our upcoming new release or not.
Thanks.

@avinash1IBM
Copy link
Member

@tcherel The most recent update from the jackson-databind team is that this is not a vulnerability. you can read this here. So even the nvd website added this note below.
NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
So can we mark this as closed?

@tcherel
Copy link
Author

tcherel commented Nov 27, 2023

@avinash1IBM unfortunately this is not that simple.
We have large customers (we both work for the same company :-) ) that are not easily buying the "not vulnerable" justification and that are pushing really hard to get clean OSS scans before they can deploy the software (based on their own corporate policies).
Things are much easier if the scan result is clean and, in this particular case where it should be a simple/backward compatible upgrade, the upgrade is definitely a better approach.
You can reach me internally (email or slack: Thomas Cherel) if you want to discuss this further.
Thanks.

@avinash1IBM
Copy link
Member

We will do a new release that upgrades the above dependency

@avinash1IBM
Copy link
Member

A new version of ibm-cos-sdk-java is released to address this vulnerability. Can you please close this issue.

@tcherel
Copy link
Author

tcherel commented Dec 4, 2023

Thanks @avinash1IBM
Closing this git issue.

@tcherel tcherel closed this as completed Dec 4, 2023
@hbornstein747 hbornstein747 mentioned this issue Dec 13, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kashok7474 @tcherel @avinash1IBM