Logstash how to solve the problem about jackson-databind CVE-2019-12384

muyuqj · August 7, 2019, 3:54am

logstash how to solve the problem about jackson-databind CVE-2019-12384

my path is:
/usr/local/logstash/logstash-core/lib/jars/jackson-annotations-2.9.5.jar
it is seem the jackson lib version is 2.9.5,
This bug must update the jackson lib to 2.9.9.1
But the lastest logstash's version of jackson lib is 2.9.8,So i don't know how to solve this problem , Anyone can help me ?

guyboertje · August 7, 2019, 10:26am

Logstash is not vulnerable to this CVE.

We only use Jackson to deserialise JSON strings into a fixed (controlled by us) set of internal or standard Ruby/Java classes and then to serialise these same fixed set of classes into standard JSON.

We will update Jackson and JrJackson in due course.

muyuqj · August 7, 2019, 10:33am

Thanks .

system · September 4, 2019, 10:34am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash--jackson-databind vulnerabilities for logstash-7.9.0 Logstash	1	344	December 8, 2020
Logstash how to solve the problem about jackson-databind CVE-2020-9548 Logstash	1	434	October 20, 2020
Vulnerabilities associated with jackson-databind 2.8.11.3 Elasticsearch	1	824	May 14, 2020
Vulnerability CVE-2020-25649 reported on Elasticsearch 7.17.4 Elasticsearch	3	434	July 11, 2022
Logstash using vulnerable JDK Logstash	7	4277	September 28, 2021

Logstash how to solve the problem about jackson-databind CVE-2019-12384

Related topics