Vulnerability found in org.codehaus.jackson:jackson-mapper-asl

[schubon]

Details

CVE-2019-10172

moderate severity
Vulnerable versions: <= 1.9.13
Patched version: No fix

A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar to CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.

Remediation

No patched version is available.

[anouri]

The latest version of jackson-core-asl and ackson-mapper-asl libraries are 1.9.13 and they are from 2013.
There has been no further releases since then.

Hadoop and HBase uses these libraries also in the newest released version 3.1 from Nov. 2019.

/usr/hdp/3.1.0.0-78/hbase/lib/jackson-core-asl-1.9.13.jar
/usr/hdp/3.1.0.0-78/hbase/lib/jackson-mapper-asl-1.9.13.jar
/usr/hdp/3.1.0.0-78/hadoop/lib/jackson-core-asl-1.9.13.jar
/usr/hdp/3.1.0.0-78/hadoop/lib/jackson-mapper-asl-1.9.13.jar

[anouri]

Correction delivered in version streamsx.hdfs 5.2.0
https://github.com/IBMStreams/streamsx.hdfs/releases/tag/v5.2.0

[xuzikun2003]

Why is this issue closed? It looks like we don't have a fix for this vulnerability yet.

[schubon]

I have to agree @xuzikun2003, as there are no new versions of the libraries showing the vulnerability, it cannot be corrected.