CODEWITHSUNDEEP
securityjava-8java-11owaspjackson-databind
Nikhil Singh Bhadoriya
Nikhil Singh Bhadoriya

Reputation: 81

OWASP security issue with jackson-databind-2.9.8 jar

I have a maven web project(RESTful, Spring Rest/data) running in Java 8(tomcat 8.5.5) and using 'jackson-databind-2.9.8.jar'. When the Dependency Check Tool(Checks vulnerable jar version and generates report) is run against the libraries the project is using, it showed 'jackson-databind-2.9.8.jar' as Vulnerable(Reference- https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Afasterxml&cpe_product=cpe%3A%2F%3Afasterxml%3Ajackson-databind&cpe_version=cpe%3A%2F%3Afasterxml%3Ajackson-databind%3A2.9.8)

Problem:- Changing to 'jackson-databind-2.10.0.jar' version fixes OWASP security issue(running Dependency Check Tool) but, when project is build and run it throws error since 2.10.0 uses jdk9+ complaint classes(Reference- https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.10)

What should be done to resolve the issue, can we make the project compile in Java 8 and run in JDK11(since JDK9 is out of support) or something else should be done? Please suggest. Thanks in advance!

Upvotes: 1

Views: 1344

Answers (1)

Vishwa Ratna
Vishwa Ratna

Reputation: 6420

CVE-2019-12086 is fixed in jackson-databind-2.9.9.jar .

See the report: https://nvd.nist.gov/vuln/detail/CVE-2019-12086

Maven repo for 2.9.9 : https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.9.9

Upvotes: 1

Related Questions