1

Security vulnerability with FasterXML Jackson libraries included with ZKEE

asked 2018-02-01 04:39:36 +0800

sahild gravatar image sahild
117 4

updated 2018-02-01 04:40:41 +0800

We were just identified as having a security vulnerability in our product. The vulnerability is related to the FasterXML Jackson libraries included with ZKEE 8.0.5 (and 8.5.0) releases. It appears both levels of ZKEE are using version 2.5.1 of the FasterXML libraries and the fix is in the very recent 2.9.4 FasterXML Jackson released on January 21, 2018.
We know this is new, but wanted to see if you knew about this and if there are plans to release a 8.0.x and 8.5.x version with an upgrade to this new level. Or do you know if it will work if we just replace the jackson-xxxx.jar files with the latest ones? FYI the Common Vulnerabilities and Exposures (CVE) numbers are: CVE-2017-7525, CVE-2017-15095, CVE-2017-17485.

delete flag offensive retag edit

Comments

thanks for pointing that one out, we are on it

cor3000 ( 2018-02-01 10:33:50 +0800 )edit

4 Answers

Sort by ยป oldest newest most voted
1

answered 2018-02-01 13:09:16 +0800

cor3000 gravatar image cor3000
6280 2 7

updated 2018-02-05 16:47:08 +0800

My initial tests show that 2.9.4 still works with ZK (if you can live without Java 6 - I think we all can)

https://nvd.nist.gov/vuln/detail/CVE-2017-17485 https://github.com/FasterXML/jackson-databind/issues/1855

The other option is to exclude jackson-databind completely from your dependencies and use the GsonConverter as mentioned earlier.

JIRA ticket: ZK-3857

UPDATE: ZK-3857/ ZK-3859 will be both addressed in 8.5.1

  • jackson-databind will be removed by default (since the latest version 2.9.4 doesn't support Java 6 anymore)
  • commons-fileupload will be using 1.3.3
link publish delete flag offensive edit

Comments

while you're at it, also update commons-fileupload to 1.3.3 http://tracker.zkoss.org/browse/ZK-3859

cor3000 ( 2018-02-01 14:45:00 +0800 )edit
0

answered 2018-02-01 11:38:43 +0800

cor3000 gravatar image cor3000
6280 2 7

updated 2018-02-01 11:38:59 +0800

the Jackson libraries are used as an optional feature ZK-2650.

If you don't use client-side binding in combination with Pojo-JSON (or reverse) conversion it is not active. I'll perform a few more test verify that. Also if the latest version 2.9.4 will work with the existing features.

ZK-2650 also mentions a switch to disable Jackson and use the alternative GSON converter instead.

<library-property>
    <name>org.zkoss.bind.jsonBindingParamConverter.class</name>
    <value>org.zkoss.zkmax.bind.GsonConverter</value>
</library-property>
link publish delete flag offensive edit
0

answered 2018-02-01 22:27:54 +0800

sahild gravatar image sahild
117 4

When we first upgraded from 7.0.x ZK to 8.0.5 we hadn't included the jackson-xxx.jar files but we noticed there were exceptions because they were missing so we included them to remove the exceptions.

link publish delete flag offensive edit

Comments

yes if you configure the GSON converter ZK won't initialize Jackson and the libs can be removed

cor3000 ( 2018-02-02 14:48:56 +0800 )edit
0

answered 2018-03-22 00:02:34 +0800

sahild gravatar image sahild
117 4

We just replaced Jackson libraries with the latest release(Jan 2018). This passed the security scans. Thanks for helping.

link publish delete flag offensive edit
Your answer
Please start posting your answer anonymously - your answer will be saved within the current session and published after you log in or create a new account. Please try to give a substantial answer, for discussions, please use comments and please do remember to vote (after you log in)!

[hide preview]

Question tools

Follow
2 followers

RSS

Stats

Asked: 2018-02-01 04:39:36 +0800

Seen: 24 times

Last updated: Mar 22 '18

Support Options
  • Email Support
  • Training
  • Consulting
  • Outsourcing
Learn More