Open schubon opened 4 years ago
The latest version of jackson-core-asl and ackson-mapper-asl libraries are 1.9.13 and they are from 2013. There has been no further releases since then.
Hadoop and HBase uses these libraries also in the newest released version 3.1 from Nov. 2019.
/usr/hdp/3.1.0.0-78/hbase/lib/jackson-core-asl-1.9.13.jar /usr/hdp/3.1.0.0-78/hbase/lib/jackson-mapper-asl-1.9.13.jar /usr/hdp/3.1.0.0-78/hadoop/lib/jackson-core-asl-1.9.13.jar /usr/hdp/3.1.0.0-78/hadoop/lib/jackson-mapper-asl-1.9.13.jar
Correction delivered in version streamsx.hdfs 5.2.0 https://github.com/IBMStreams/streamsx.hdfs/releases/tag/v5.2.0
Why is this issue closed? It looks like we don't have a fix for this vulnerability yet.
I have to agree @xuzikun2003, as there are no new versions of the libraries showing the vulnerability, it cannot be corrected.
Details
CVE-2019-10172
moderate severity Vulnerable versions: <= 1.9.13 Patched version: No fix
A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar to CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.
Remediation
No patched version is available.