[RMB-907] jackson-databind 2.13.2.1, Vert.x 4.2.6, log4j 2.17.2 (CVE-2020-36518) - FOLIO Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: P2
Resolution: Done
Affects Version/s: None
Fix Version/s: 33.2.8, 33.2.9
Labels:
- security
- security-reviewed

Template:

Standard Bug Write-Up Format
Sprint:
CP: sprint 136, CP: sprint 137
Story Points:
1
Development Team:
Core: Platform
RCA Group:
TBD

Description

Update jackson-databind from 2.13.1 to 2.13.2.1 fixing https://nvd.nist.gov/vuln/detail/CVE-2020-36518

Update Vert.x from 4.2.5 to 4.2.6.

Update log4j from 2.17.1 to 2.17.2.

Additional information

Regarding jackson-databind upgrade from 2.13.1 to 2.13.2.1:

BasicDeserializerFactory automatically returns the UntypedObjectDeserializer class for java type Object and Serializable:
https://github.com/FasterXML/jackson-databind/blob/jackson-databind-2.13.2.1/src/main/java/com/fasterxml/jackson/databind/deser/BasicDeserializerFactory.java#-L2058-L2082

TestRail: Results

Attachments

Issue Links

mentioned in: Page Loading...; Page Loading...; Page Loading...

Activity

People

Assignee:: Julian Ladisch

Reporter:: Julian Ladisch

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 28/Mar/22 7:09 AM

Updated:: 28/Apr/22 3:39 PM

Resolved:: 14/Apr/22 5:48 PM

TestRail: Runs

TestRail: Cases