[JRASERVER-71535] Update jackson-databind library bundled with JIRA

Type: Suggestion
Resolution: Fixed
Fix Version/s: None
Component/s: raid
Labels:

UIS:
4
Support reference count:
2
Feedback Policy:

We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

The files related to the Jackson-databind library used by JIRA are out of date.. While JIRA does not employ methodology which would enable exploitation of these old vulnerabilities(detailed in CVE-2017-15095), the problem is with the vulnerable files existing on the file system at all. They can trigger false positives against vulnerability scans.

The following library files are affected

<JIRA_HOME>\plugins\.osgi-plugins\felix\felix-cache\bundle130\version0.0\atlassian-remote-event-common-plugin-1.0.12-D20170127T113645.jar-embedded\META-INF\lib\jackson-annotations-2.3.0.jar
<JIRA_HOME>\plugins\.osgi-plugins\felix\felix-cache\bundle130\version0.0\atlassian-remote-event-common-plugin-1.0.12-D20170127T113645.jar-embedded\META-INF\lib\jackson-core-2.3.2.jar
<JIRA_HOME>\plugins\.osgi-plugins\felix\felix-cache\bundle130\version0.0\atlassian-remote-event-common-plugin-1.0.12-D20170127T113645.jar-embedded\META-INF\lib\jackson-databind-2.3.2.jar
<JIRA_HOME>\plugins\.osgi-plugins\felix\felix-cache\bundle150\version0.0\jackson-module-scala-2.10-provider-plugin-0.5.jar-embedded\jackson-module-scala-2.10-1.9.3.3.jar
<JIRA_HOME>\plugins\.osgi-plugins\felix\felix-cache\bundle34\version0.0\atlassian-gadgets-directory-plugin-4.2.21.jar-embedded\META-INF\lib\jackson-core-asl-1.4.4.jar
<JIRA_HOME>\plugins\.osgi-plugins\felix\felix-cache\bundle34\version0.0\atlassian-gadgets-directory-plugin-4.2.21.jar-embedded\META-INF\lib\jackson-mapper-asl-1.4.3.jar
<JIRA_INSTALL>\atlassian-jira\WEB-INF\atlassian-bundled-plugins\jackson-module-scala-2.10-provider-plugin-0.5.jar
<JIRA_INSTALL>\atlassian-jira\WEB-INF\lib\jackson-1.0.jar
<JIRA_INSTALL>\atlassian-jira\WEB-INF\lib\jackson-core-asl-1.9.13-atlassian-1.jar
<JIRA_INSTALL>\atlassian-jira\WEB-INF\lib\jackson-mapper-asl-1.9.13-atlassian-1.jar

causes: VULN-196472 Loading...

AB made changes - 11/Oct/2023 6:25 AM

Remote Link

Original: This issue links to "VULN-196472 (Security JIra)" [ 504268 ]

New: This issue links to "VULN-196472 (ASEC/J)" [ 504268 ]

AB made changes - 09/Aug/2021 3:57 AM

Resolution		New: Fixed [ 1 ]
Status	Original: Gathering Interest [ 11772 ]	New: Closed [ 6 ]

AB added a comment - 09/Aug/2021 3:57 AM - edited

Hi,

This issue is now patched in versions 8.13.1, 8.14.0, and 8.5.10.

AB added a comment - 09/Aug/2021 3:57 AM - edited Hi, This issue is now patched in versions 8.13.1, 8.14.0, and 8.5.10.

SET Analytics Bot made changes - 05/Aug/2021 2:12 AM

UIS

Original: 2

New: 4

SET Analytics Bot made changes - 06/Nov/2020 12:31 AM

UIS

Original: 1

New: 2

Security Metrics Bot made changes - 14/Sep/2020 11:59 PM

Labels

Original: dmb-legacy-jac-none no-cvss-required security

New: dmb-legacy-jac-none no-advisory-required no-cvss-required security

AB made changes - 14/Sep/2020 2:33 AM

Remote Link

New: This issue links to "VULN-196472 (Security JIra)" [ 504268 ]

AB made changes - 14/Sep/2020 2:17 AM

Link

New: This issue causes JRASERVER-71548 [ JRASERVER-71548 ]

AB made changes - 09/Sep/2020 11:48 PM

Component/s		New: raid [ 56392 ]
Component/s	Original: API and Integrations [ 35993 ]
Key	Original: ~~JSDSERVER-6987~~	New: ~~JRASERVER-71535~~
Project	Original: Jira Service Desk Server and Data Center [ 15611 ]	New: Jira Server and Data Center [ 10240 ]

AB added a comment - 09/Sep/2020 11:44 PM

Hi dc2568792d03, I've identified the problem as coming from a particular plugin dependency in Jira Core; the plugin version likely needs to be upgraded. I'll sort out the plugin and keep you posted.

AB added a comment - 09/Sep/2020 11:44 PM Hi dc2568792d03 , I've identified the problem as coming from a particular plugin dependency in Jira Core; the plugin version likely needs to be upgraded. I'll sort out the plugin and keep you posted.

Assignee:: AB

Reporter:: Shaun S

Votes:: 11 Vote for this issue

Watchers:: 15 Start watching this issue

Created:: 19/Dec/2017 11:03 PM

Updated:: 11/Oct/2023 6:25 AM

Resolved:: 09/Aug/2021 3:57 AM

Details

Description

Attachments

Issue Links

Forms

Activity

Collapse comment: AB added a comment - 09/Aug/2021 3:57 AM, Edited by AB - 09/Aug/2021 3:58 AM

Expand comment: AB added a comment - 09/Aug/2021 3:57 AM, Edited by AB - 09/Aug/2021 3:58 AM

Collapse comment: AB added a comment - 09/Sep/2020 11:44 PM

Expand comment: AB added a comment - 09/Sep/2020 11:44 PM

People

Dates