0

Because of the Jackson Databind vulnerabilities, a saga that has been going on for some time now, our security team has asked us to move away from the Jackson library altogether to Gson. We successfully completed this, but we have now come to learn that Spring itself has a runtime dependency on Jackson. As a result, unless we can identify and remove this dependency, we may potentially be asked to move away from Spring altogether.

Is there a way to remove the dependency on Jackson from the Spring framework, and if not, are we truly at risk? If we are not at risk, how can we demonstrate this to our security team?

MikeF
  • 1
  • Just out of curiosity: where do you work? – Gergely Bacso Dec 16 '18 at 14:11
  • 3
    Can you refer a link to Jackson Databind vulnerabilities? – Ori Marko Dec 16 '18 at 14:12
  • Have you tried `spring.http.converters.preferred-json-mapper=gson`? – jaco0646 Dec 16 '18 at 14:33
  • There is no runtime dependency on Jackson. Spring supports both Jackson and Gson. So as long as you haven't declared Jackson as a dependency nothing is wrong, if you have, make sure you use the most recent versions. – M. Deinum Dec 16 '18 at 18:15
  • Spring boot isn't just Spring. You mention Spring and nowhere you relate to Spring Boot in your post... Hence Spring itself still doesn't have a runtime dependency on Jackson. – M. Deinum Dec 16 '18 at 18:35
  • Also even when using Spring Boot if Jackson is on the `classpath stil doesn’t mean it is being used. If you use a Classic form and not a REST Endpoint it stil isn’t used. If you have configured Spring Boot to prefer GSON over Jackson it also isn’t used. So stating that it is a dependency and thus is an issue is a bit to shortsighted. – M. Deinum Dec 16 '18 at 19:23
  • @user7294900: [CVE list](https://www.cvedetails.com/vulnerability-list/vendor_id-15866/product_id-42991/Fasterxml-Jackson-databind.html). Spring-boot 2.0.6 is not vulnerable to any of those. Spring boot 1.5.10 is (with default dependency management) – Andy Brown Dec 17 '18 at 10:49
  • 1
    @AndyBrown so as my answer, user should upgrade its libraries – Ori Marko Dec 17 '18 at 10:52

1 Answers1

1

As any other software, you should upgrade your libraries, latest Jackson 2.9.8 released with security fixes

As usual, upgrade recommended: this patch release contains multiple security-related fixes so upgrade STRONGLY recommended.

See release notes for more info.

Community
  • 1
  • 1
Ori Marko
  • 56,308
  • 23
  • 131
  • 233