Closed MrManz closed 4 years ago
@MrManz Please sign the Contributor License Agreement!
Click here to manually synchronize the status of this Pull Request.
See the FAQ for frequently asked questions.
@MrManz Thank you for signing the Contributor License Agreement!
This patch would be very helpful. I was wondering why Jackson is bundled into this JAR: https://github.com/spring-cloud/spring-cloud-connectors/blob/0ebd0c419081fb14f4e416ddc2239a3f065942b7/spring-cloud-cloudfoundry-connector/build.gradle#L26
That makes it really hard to patch it should any security vulnerabilities occur (which happened frequently in recent weeks).
I was wondering why Jackson is bundled into this JAR
@franzbecker The short answer is "for historical reasons". This lib was built many years ago and designed to support multiple versions of Spring Framework and Spring Data libs, which might also depend on specific versions of Jackson. The safest thing to do was to shadow Jackson into Connectors.
As noted in the README, this project is now in maintenance mode. Only critical bugs and CVEs will be addressed going forward, which unfortunately is likely to be mostly comprised of Jackson updates.
That makes it really hard to patch it should any security vulnerabilities occur (which happened frequently in recent weeks).
The best way to avoid being affected by these vulnerabilities it to stop using the Connectors lib and use Java CFEnv instead.
Update of jackson databind to version 2.10.0 which fixes several CVEs (https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.10)