Com.fasterxml.jackson.core:jackson-databind Vulnerability

Hi all,

We have a set of containerized Lucee instances that we run on AWS in ECS. When we upload our images to ECR, we get 50+ “critical” vulnerabilities that are identified in the ECR container scanning. It looks like most of these are related back to com.fasterxml.jackson.core:jackson-databind 2.3.3 which is found in the opt/lucee/server/lucee-server/bundles/org.lucee.ehcache-2.10.3.jar path. I think the Hibernate extension is pulling in EHCache, but I’m not sure.

Any ideas on how to remediate this?



I can find “databind” only in the Redis extension, “jackson” is present in S3 and Redis Extension and “EHCache” is in Hibernate and of course in the EHCache extension.
If you raise a ticket ( we can take a closer look at this and update this extensions.
If you don’t use these extensions you can of course simply uninstall them.

Ticket in Jira : EHIB-34 - AWS ECR Image Scanner : Several Vulnerabilities in Hibernate Extension

I moved the ticket to LDEV [LDEV-3982] - Lucee