[JRASERVER-71535] Update jackson-databind library bundled with JIRA

Type: Suggestion
Resolution: Fixed
Fix Version/s: None
Component/s: raid
Labels:

UIS:
4
Support reference count:
2
Feedback Policy:

We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

The files related to the Jackson-databind library used by JIRA are out of date.. While JIRA does not employ methodology which would enable exploitation of these old vulnerabilities(detailed in CVE-2017-15095), the problem is with the vulnerable files existing on the file system at all. They can trigger false positives against vulnerability scans.

The following library files are affected

<JIRA_HOME>\plugins\.osgi-plugins\felix\felix-cache\bundle130\version0.0\atlassian-remote-event-common-plugin-1.0.12-D20170127T113645.jar-embedded\META-INF\lib\jackson-annotations-2.3.0.jar
<JIRA_HOME>\plugins\.osgi-plugins\felix\felix-cache\bundle130\version0.0\atlassian-remote-event-common-plugin-1.0.12-D20170127T113645.jar-embedded\META-INF\lib\jackson-core-2.3.2.jar
<JIRA_HOME>\plugins\.osgi-plugins\felix\felix-cache\bundle130\version0.0\atlassian-remote-event-common-plugin-1.0.12-D20170127T113645.jar-embedded\META-INF\lib\jackson-databind-2.3.2.jar
<JIRA_HOME>\plugins\.osgi-plugins\felix\felix-cache\bundle150\version0.0\jackson-module-scala-2.10-provider-plugin-0.5.jar-embedded\jackson-module-scala-2.10-1.9.3.3.jar
<JIRA_HOME>\plugins\.osgi-plugins\felix\felix-cache\bundle34\version0.0\atlassian-gadgets-directory-plugin-4.2.21.jar-embedded\META-INF\lib\jackson-core-asl-1.4.4.jar
<JIRA_HOME>\plugins\.osgi-plugins\felix\felix-cache\bundle34\version0.0\atlassian-gadgets-directory-plugin-4.2.21.jar-embedded\META-INF\lib\jackson-mapper-asl-1.4.3.jar
<JIRA_INSTALL>\atlassian-jira\WEB-INF\atlassian-bundled-plugins\jackson-module-scala-2.10-provider-plugin-0.5.jar
<JIRA_INSTALL>\atlassian-jira\WEB-INF\lib\jackson-1.0.jar
<JIRA_INSTALL>\atlassian-jira\WEB-INF\lib\jackson-core-asl-1.9.13-atlassian-1.jar
<JIRA_INSTALL>\atlassian-jira\WEB-INF\lib\jackson-mapper-asl-1.9.13-atlassian-1.jar

causes: VULN-196472 Failed to load

AB made changes - 11/Oct/2023 6:25 AM

Remote Link

Original: This issue links to "VULN-196472 (Security JIra)" [ 504268 ]

New: This issue links to "VULN-196472 (ASEC/J)" [ 504268 ]

AB made changes - 09/Aug/2021 3:57 AM

Resolution		New: Fixed [ 1 ]
Status	Original: Gathering Interest [ 11772 ]	New: Closed [ 6 ]

SET Analytics Bot made changes - 05/Aug/2021 2:12 AM

UIS

Original: 2

New: 4

SET Analytics Bot made changes - 06/Nov/2020 12:31 AM

UIS

Original: 1

New: 2

Security Metrics Bot made changes - 14/Sep/2020 11:59 PM

Labels

Original: dmb-legacy-jac-none no-cvss-required security

New: dmb-legacy-jac-none no-advisory-required no-cvss-required security

AB made changes - 14/Sep/2020 2:33 AM

Remote Link

New: This issue links to "VULN-196472 (Security JIra)" [ 504268 ]

AB made changes - 14/Sep/2020 2:17 AM

Link

New: This issue causes JRASERVER-71548 [ JRASERVER-71548 ]

AB made changes - 09/Sep/2020 11:48 PM

Component/s		New: raid [ 56392 ]
Component/s	Original: API and Integrations [ 35993 ]
Key	Original: ~~JSDSERVER-6987~~	New: ~~JRASERVER-71535~~
Project	Original: Jira Service Desk Server and Data Center [ 15611 ]	New: Jira Server and Data Center [ 10240 ]

AB made changes - 09/Sep/2020 3:12 AM

Assignee

New: AB [ ablack@atlassian.com ]

AB made changes - 09/Sep/2020 2:57 AM

Component/s		New: API and Integrations [ 35993 ]
Key	Original: ~~JRASERVER-66511~~	New: ~~JSDSERVER-6987~~
Project	Original: Jira Server and Data Center [ 10240 ]	New: Jira Service Desk Server and Data Center [ 15611 ]

Assignee:: AB

Reporter:: Shaun S

Votes:: 11 Vote for this issue

Watchers:: 15 Start watching this issue

Created:: 19/Dec/2017 11:03 PM

Updated:: 11/Oct/2023 6:25 AM

Resolved:: 09/Aug/2021 3:57 AM

Details

Description

Attachments

Issue Links

Forms

Activity

People

Dates