• Type: Improvement
• Resolution: Unresolved
• Priority: Major
• Component/s: ec2-deployment-dashboard-plugin, github-plugin
• Labels:

  • security-hardening

[JENKINS-51344] Jackson-Databind needs to be upgraded to 2.9.4+ to address CVE-2018-5968

Bill Stephens created issue - 2018-05-15 14:39

Collapse comment: Daniel Beck added a comment - 2018-05-15 14:46

Daniel Beck added a comment - 2018-05-15 14:46

Specifically, the CVE being identified by crappy security scanners, as none of these plugins opt in to the affected feature in jackson-databind, last time I checked at least.

Expand comment: Daniel Beck added a comment - 2018-05-15 14:46

Daniel Beck added a comment - 2018-05-15 14:46 Specifically, the CVE being identified by crappy security scanners, as none of these plugins opt in to the affected feature in jackson-databind, last time I checked at least.

Collapse comment: Oleg Nenashev added a comment - 2018-05-15 14:49

Oleg Nenashev added a comment - 2018-05-15 14:49

bstephens just for the future, please follow the https://jenkins.io/security/#reporting-vulnerabilities process if you see security-related issues. Regarding this particular CVE, we recently did investigation, and we didn't discover any usages of the vulnerable API in JIRA. Updates would be nice, but there is no security defect on the Jenkins side. If you see ones, please report them accordingly.

Generally all listed plugins should switch to Jackson Databind Plugin or Jackson2 API Plugin so that they do not bundle the dependencies on their own

Expand comment: Oleg Nenashev added a comment - 2018-05-15 14:49

Oleg Nenashev added a comment - 2018-05-15 14:49 bstephens just for the future, please follow the https://jenkins.io/security/#reporting-vulnerabilities process if you see security-related issues. Regarding this particular CVE, we recently did investigation, and we didn't discover any usages of the vulnerable API in JIRA. Updates would be nice, but there is no security defect on the Jenkins side. If you see ones, please report them accordingly. Generally all listed plugins should switch to Jackson Databind Plugin or Jackson2 API Plugin so that they do not bundle the dependencies on their own

Oleg Nenashev made changes - 2018-05-15 14:49

Labels

New: security-hardening

Collapse comment: Oleg Nenashev added a comment - 2018-05-16 10:13

Oleg Nenashev added a comment - 2018-05-16 10:13

bstephens I suggest creating a separate issue for each plugin in question

Expand comment: Oleg Nenashev added a comment - 2018-05-16 10:13

Oleg Nenashev added a comment - 2018-05-16 10:13 bstephens I suggest creating a separate issue for each plugin in question

Olivier Lamy made changes - 2018-10-12 08:04

Component/s

Original: jira-plugin [ 15515 ]

Collapse comment: Lai DaZhi added a comment - 2019-07-30 02:18, Edited by Lai DaZhi - 2019-07-30 02:39

Lai DaZhi added a comment - 2019-07-30 02:18 - edited

https://help.aliyun.com/noticelist/articleid/1060030951.html?spm=5176.12809143.sas.12.6532kyPjkyPjSj

 

CVE-2019-12384

Expand comment: Lai DaZhi added a comment - 2019-07-30 02:18, Edited by Lai DaZhi - 2019-07-30 02:39

Lai DaZhi added a comment - 2019-07-30 02:18 - edited https://help.aliyun.com/noticelist/articleid/1060030951.html?spm=5176.12809143.sas.12.6532kyPjkyPjSj   CVE-2019-12384

Lai DaZhi made changes - 2019-07-30 03:41

Rank

New: Ranked higher

Lai DaZhi made changes - 2019-07-30 03:41

Status

Original: Open [ 1 ]

New: In Progress [ 3 ]