Logstash how to solve the problem about jackson-databind CVE-2019-12384

muyuqj · August 7, 2019, 3:54am

logstash how to solve the problem about jackson-databind CVE-2019-12384

my path is:
/usr/local/logstash/logstash-core/lib/jars/jackson-annotations-2.9.5.jar
it is seem the jackson lib version is 2.9.5,
This bug must update the jackson lib to 2.9.9.1
But the lastest logstash's version of jackson lib is 2.9.8,So i don't know how to solve this problem , Anyone can help me ?

guyboertje · August 7, 2019, 10:26am

Logstash is not vulnerable to this CVE.

We only use Jackson to deserialise JSON strings into a fixed (controlled by us) set of internal or standard Ruby/Java classes and then to serialise these same fixed set of classes into standard JSON.

We will update Jackson and JrJackson in due course.

muyuqj · August 7, 2019, 10:33am

Thanks .

Topic		Replies	Views
Logstash how to solve the problem about jackson-databind CVE-2020-9548 Logstash	1	485	October 20, 2020
Logstash--jackson-databind vulnerabilities for logstash-7.9.0 Logstash	1	383	December 8, 2020
Logstash-8.3.3 (latest) still using jackson-databind-2.9.10.8 Logstash	1	535	September 6, 2022
Vulnerabilities associated with jackson-databind 2.8.11.3 Elasticsearch	1	886	May 14, 2020
Logstash-input-beats and logstash-input-http : log4j-api need upgraded >= 2.8.2 as vulnerability CVE-2017-5645 Logstash elastic-stack-security	1	673	December 25, 2018

Logstash how to solve the problem about jackson-databind CVE-2019-12384

Related topics