Upgrade jackson-databind to 2.9.x for vulnerability issue

[Iker-Jimenez]

jackson-databind prior to 2.9.1 have a serious remote execution bug. See FasterXML/jackson-databind#1723

We are using jongo in production and will be forced to remove it if we don't get a patched version of it soon. Is there an ETA for a new release of jongo with a newer version of jackson-databind?

[ctrimble]

That ticket shows that the patch was rolled out to the 2.8.x, 2.7.x, and 2.6.x lines of development. I am running Jongo with the 2.8.x line. You should just be able to update your Jackson dependency.

[bguerout]

@ctrimble is right.
I have just tested release 1.3.0 against Jackson v2.8.10 (+bson4jackson v2.7.0) and all tests pass.
According to this issue FasterXML/jackson-databind#1737, v2.8.10 contains the most recent blacklist

[Stephan202]

True. But irrespective of whether upgrading to 2.9.x is necessary, Jongo does prevent doing so, it seems:

com.fasterxml.jackson.databind.introspect.AnnotatedMember.fixAccess()V
	at org.jongo.marshall.jackson.JacksonObjectIdUpdater.mustGenerateObjectId(JacksonObjectIdUpdater.java:48)
	at org.jongo.Insert.preparePojo(Insert.java:72)
	at org.jongo.Insert.save(Insert.java:47)
	at org.jongo.MongoCollection.save(MongoCollection.java:128)
	...

I haven't checked myself whether it'd be hard to fix this in a backwards-compatible manner; just to point out that this ticket has merit.

[ctrimble]

@Stephan202 I agree that 2.9.x support needs to be added at some point, but this ticket should stay focused on providing an immediate way to resolve this vulnerability. A different ticket should be opened about supporting 2.9.x.

[Stephan202]

Actually, I forgot that my very own colleague @philleonard fixed that issue in PR #312. Maybe we can have a release with that? :D.

[Iker-Jimenez]

thanks @Stephan202 @ctrimble and @bguerout for the super quick response. You are right, we can use 2.8.10 to close the security issue.
We also tried building Jongo from master with the 2.9.2 version as @Stephan202 did and hit that same issue with "fixAccess"
There is definitely some work involved in migrating to jackson-databind 2.9.x, looks like the API has had some methods you guys are using removed.
Thanks again for being so helpful.

[Iker-Jimenez]

closing this as we can specify the newest jackson-databind in our project to fix the problem. I think you should consider releasing a 1.3.1 with a patched version of jackson-databind anyway to help secure projects using your library.

[wrey75]

Hi, why there is no 1.3.1 release yet? We updated to Jackson 2.9.2 and we are not able to use Jongo anymore. I know there is a version 1.4 pending but no release in the Maven repository. Can you provide a workaround? Thanks by advance.

[bguerout]

Hello you can find the release plan in milestone section of the project https://github.com/bguerout/jongo/milestones.

To sump up,

• 1.3.1: Jackson fixAcces(true) and Jackson update to 2.7.9
• 1.4.0: Jackson and bson4jackson updated to 2.9.x
• 1.5.0: New API to deal with mongo java driver API v3

[bguerout]

Hello 1.3.1 and 1.4.0 have been released.

1.3.1: Jackson fixAcces(true) and Jackson update to 2.7.9
1.4.0: Jackson and bson4jackson updated to 2.9.x and enhancement of Jongo classes extensibility

You can find more informations here: https://github.com/bguerout/jongo/releases