Com.fasterxml.jackson.core:jackson-databind Vulnerability

Dylan_Miyake · January 28, 2022, 4:33pm

Hi all,

We have a set of containerized Lucee instances that we run on AWS in ECS. When we upload our images to ECR, we get 50+ “critical” vulnerabilities that are identified in the ECR container scanning. It looks like most of these are related back to com.fasterxml.jackson.core:jackson-databind 2.3.3 which is found in the opt/lucee/server/lucee-server/bundles/org.lucee.ehcache-2.10.3.jar path. I think the Hibernate extension is pulling in EHCache, but I’m not sure.

https://nvd.nist.gov/vuln/detail/CVE-2018-19361

Any ideas on how to remediate this?

Thanks!

Dylan

micstriit · January 28, 2022, 8:24pm

I can find “databind” only in the Redis extension, “jackson” is present in S3 and Redis Extension and “EHCache” is in Hibernate and of course in the EHCache extension.
If you raise a ticket (https://issues.lucee.org) we can take a closer look at this and update this extensions.
If you don’t use these extensions you can of course simply uninstall them.

cfmitrah · May 5, 2022, 8:08am

Ticket in Jira : EHIB-34 - AWS ECR Image Scanner : Several Vulnerabilities in Hibernate Extension

Zackster · May 5, 2022, 2:47pm

I moved the ticket to LDEV [LDEV-3982] - Lucee