Shaded version of Jackson Databind affected by CVE-2020-25649

[cmuchinsky]

The version of Jackson Databind (2.10.2) that is shaded within the bundle is affected by CVE-2020-25649 and is affecting security scans for components that embed the bundle jar.

[tcherel]

Any chances to get a fix for this or an official statement saying that ibm-cos-sdk-java is not affected?

[IBMeric]

This notice came in after the code freeze for our latest release. At the time I did try making these as last-minute updates, but there were several test failures that we did not have time to investigate. The upstream AWS project still uses an even older version for Java 6 compatibility, which may be a complicating factor. We are tracking this internally.

[tcherel]

Thanks @IBMeric
Is there a way to determine if ibm-cos-sdk-java is exposed to the CVE-2020-25649 vulnerability?
If it is exposed or if there is no easy way to know, any ETA as when a new version might be available with an updated version of jackson databind?

[IBMeric]

We inherit the jackson-databind dependency from the upstream AWS S3 SDK. The AWS S3 stance is that they are not vulnerable to several CVEs as evidenced here: aws/aws-sdk-java#2096. We will address it as soon as AWS S3 addresses it and makes a release available, or if we are able to do it independent of them without uncovering issues in this quarter.

[tcherel]

@IBMeric seems that AWS S3 SDK v2 has already addressed this issue: aws/aws-sdk-java-v2#2207
Can we use that?

[tcherel]

@IBMeric any updates? Thanks

[IBMeric]

@tcherel This has already been fixed and will appear in our mid-March release.

[tcherel]

This is excellent news. Thanks @IBMeric

[IBMeric]

This issue has been resolved in 2.9.1.